n*aud  Fighters 

&TeleCheck  busts 
bad  guys 
■I  PAGE  28 


»de  Warriors 

\  Application 
ecurity  beyond 
f  pen  tests 
PAGE  20 


t  /  *  1 

1  1  J  J 

B  1  r *  1  1  L  ^  m 

<i]ri]  i]  1  hui 

Fiserv  svp  and 
Chief  Risk  Officer 
Murray  Walton 


Smarter  technology  for  a  Smarter  Planet: 

How  3.8  million  tailored  messages 
made  sales  numbers  look  fantastic,  too. 

Japanese  fashion  retailer  Start  Today  took  an  IBM  smarter  commerce  approach  to  their  business,  helping  increase 
annual  sales  on  their  Zozotown  Web  site  by  54.2%.  Their  customer-centric  focus  uses  Netezza®  and  Unica®  to  rapidly 
analyze  massive  amounts  of  data,  letting  them  create  personalized  messages  for  each  of  their  3.8  million  customers. 
Results?  The  solution  helped  increase  the  e-mail  open  rate  by  five  times  and  the  conversion  rate  by  nearly  1,000%. 
Smarter  commerce  is  built  on  smarter  software,  systems  and  services. 

Let’s  build  a  smarter  planet,  ibm.com/personalize 


I  *****  I  I  . 


■  •  y  1  j  j  .  .  ‘  H  1 1  I 


April  2012  Vol.  lo,  No.  3 


Also  Inside... 


2  From  the  Editor 
6  From  the  Publisher 

8  Join  the  Discussion 

CSOonline  readers  discuss 
vendors’  aggregated  data 
clauses;  lies,  damn  lies,  met¬ 
rics,  and  baseball 

11  Briefing 

■  Scientists  Say  Solar  Storms 
could  Knockout 

Power  Grids 

■  DevOps  Outpaces 
Safety  Measures 

■  Houston,  You  Have 
a  Problem 

■  Duqu  Trojan  Written  in 
Mystery  Programming 
Language 

■  Was  Anonymous  Really 
Hurt  by  the  LulzSec  Bust? 

■  U.S.  Military  Logistics  Could 
Be  Vulnerable  to 

Attack  by  China 


■  Hackers  Infect 
WordPress  Blogs 

■  Alliance  Aims  to  Improve 
Software  in  Development 

■  DDoS  Bot  Includes 
New  Exploit  Attacking 
Apache  Servers 


20  Layered  Defense  for 
Applications 

Toolbox  Securing  your 
applications  has  never  been 
more  important,  and  there  are 
lots  of  ways  to  do  just  that-as 
long  as  you  don’t  mind  onions 

32  Debriefing 

“How  Secure  Are  We?” 

The  Algorithm 


Features... 


24  What’S  the 
RiskofGRC? 

Cover  Story  i  Governance, 

Risk  and  Compliance 

Governance,  risk  and  compliance 
can  be  a  dauntingly  complex 
undertaking.  But  for  Fiserv, 
the  alternative  was  even  more 
complicated  ByBobViolino 

28  Combating 
Check  Fraud 

Fraud  Prevention  Tight 
relationships  with  law-enforcement 
agencies  are  the  key  to  tracking 
down  and  prosecuting  check  fraud 
criminals  By  Mary  Brandel 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA01701.  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9.  Copyright  2011  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearinginCSOisforbiddenwithoutwrittenpermission.Permissiontophotocopyforinternalorpersonaluseorthe  internal  or  personal  use  of  specific clients  isgranted 
by  CSOfor  usersthrough  the  Copyright  Clearance  Center,  provided  that  afee  of  $3.50  per  copy  of  the  article  ispaid  directly  toCopyright  Clearance  Center.  222  Rosewood  Drive,  Danvers.MA  01970.  wivw.copyr/g/it.com.  Please  specify: 
ISSN1540-904X.  Permission  to  photocopy  does  not  extend  to  contributed  articles-followed  by  thissym bob  t.  Address  inquiriesto  CSO,  P.O.  Box  3482,  Northbrook,  IL60065;  866  354-1125.  CSO  isfree  to  qualified  security  executives. 
To  all  others  the  one-year  basic  rate  is  $70  for  the  United  States  and  Canada,  $95toforeign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is$9  to  the  U.S.  and  Canada  and  $15  International.  Please  allowfourtosix  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O,  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  photo  by  lames  Schnepf 


April  2012  www.csoonline.com  1 


[  FROM  THE  editor] 


Let’s  Not  Bicker  and 
Argue  About  Who  Killed  Who 


I  have  a  degree  in  Linguistics.  (But  I  have 
a  job  anyway!  Rimshot!)  So  I  have  some 
training  in  arguing  about  semantics. 

You  might  say  I  have  a  degree  in  arguing 
about  semantics. 

Arguing  about  semantics  is  fun,  and  some¬ 
times  it’s  actually  productive  and  necessary. 
Example:  There’s  an  emerging  discipline  called 
content  strategy,  a  collision  of  journalism, 
marketing,  user  experience  and  other  fields. 
Content  strategists  have  spilled  a  fair  amount 
of  ink  going  back  and  forth  about  what  content 
strategy  means,  or  should  mean.  That’s 
needed.  From  this  argument  emerges  more 
clearly  defined  goals,  better  tools  for  describ¬ 
ing  the  field,  and  so  on.  This  is  good. 

Another  example,  closer  to  home:  The 
very  smart  folks  on  the  security  metrics 
mailing  list-see  securitymetrics.org-occasion- 
ally  engage  in  a  rousing  debate  about  what 
security  means,  which  springs  from  people’s 
attempts  to  usefully  measure  security.  This  is 
good,  and  interesting,  though  perhaps  a  bit 
repetitive  or  circular  at  times. 

Sometimes,  though,  a  word  is  just  a  word, 
and  arguing  about  it  or  against  it  is  a  complete 
waste  of  time.  That’s  the  case  with  the  word  or 
prefix  cyber. 

This  word  seems  to  rankle  many  IT  security 
professionals.  Actually,  “rankle”  is  too  soft  a 
term.  It  aggravates,  irritates,  even  enrages 
them.  It’s  lazy,  they  say;  it’s  meaningless.  It’s 
the  shorthand  of  mainstream  media  hacks 
who  think  they’re  gearheads  because  they 
read  Neuromancer  in  middle  school. 

Here’s  my  thought  on  the  matter,  as 
a  trained  semantics-arguer  and  picker  of 
linguistic  nits:  WHO  CARES! 

The  stronger  the  reaction,  the  more 
puzzled  I  become.  Surely  this  is  the  transfor¬ 


mation  of  a  proverbial  molehill.  Is  this  an  issue 
security  should  focus  on?  Is  this  word  damag¬ 
ing  the  profession’s  prospects  and  effective¬ 
ness?  Is  this  really  so  offensive  that  the  rest  of 
the  business  world-the  people  whose  risks 
you  are  working  to  mitigate-should  see  the 
security  world  looking  peevish  and  petulant 
about  it? 

When  people  talk  about  cybersecurity 
or  cyberdefense  or  cyberwar,  they’re  talking 
about  the  digital  world  and  its  security  chal¬ 


lenges.  That’s  good.  Yes,  you  can  dissect  the 
language  and  point  out  its  imprecision.  So 
what?  Instead,  let’s  not. 

Let’s  rejoice  that  the  issue  is  on  their 
minds,  and  strive  to  engage  productively  with 
them. 

Even  a  linguist  can  recognize  that  some¬ 
times  a  word  is  just  a  word. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief 
Derek  Slater 
Managing  Editor 
Bill  Brenner 
Senior  Editor 
Joan  Goodchild 
Copy  Editor 
Colleen  Barry 
Editorial  Administrator 
Pat  Josefek 
Contributors 

Taylor  Armerding,  Mary  Brandel, 
Lucian  Constantin,  John  E.  Dunn, 
Michaei  Fitzgeraid,  George  V.  Huime, 
Ellen  Messmer,  Bob  Violino 

DESIGN 

Executive  Director,  Art  and  Design 
Mary  Lester 
Art  Director 

Steve  Traynor 

RESEARCH 

Research  Director 
Carolyn  Johnson 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

IDG  Enterprise 

An  IDG  Communications  Company  ^ 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 
Chief  Content  Officer 
John  Gallant 

•>BPA 

WORLDWIDE" 


2  www.csoonline.com  April  2012 


Photo  by  Tim  Llewellyn 


l€ 


•’••  r  .  J  •;  •?:?'  •  - 


m' 


The  object 
is  Portable, 
Flexible  and 
More  Secure. 


m 


oducing  iCLASS®  SET 
enabled  with  the  Secure 

Identity  Object 
(SIO)  model. 


Introducing  the  next  generation  of  access 
control.  The  platform  that  simplifies  everything. 


IM'III 


iCLASSSE'Card 


Learn  about  SIO. 

hidglobal.com/sio 
or  scan  this  with 
a  QR  reader 


iCLASS®  SE™  protects  the  integrity  of  your  identities,  regardless  of  the  card  platform.  It’s  also 


amazingly  flexible  —  use  multiple  form  factors  with  an  access  control  solution  to  create  your 
ideal  product  today,  then  change  it  down  the  road  as  your  business  needs  evolve  by  simply 
reprogramming  it. 

Powerful,  adaptable  and  designed  to  be  energy  efficient.  iCLASS  SE  is  truly  the  next 
generation  in  access  control.  For  more  information,  visit  hidglobal.com/secure-CSO 


Securing  Your  Journey 
to  the  Cloud 


.  ' 


h TREND 

^  M  I  C  R  0“ 


m 


fit  a;-. 


-V  , 


mm, 


r 


'Irf*'* 


' 


ement  practice' 
nst  today's  so 
ice  and  network 
urdata  is  always 


om/journey 


ican  to  downloa 
DC  Analyst  Con 
or  Today's  Data 


[  FROM  THE  PUBLISHER  ] 


Trust  Me 

Now  why  would  you  do  that?  I  mean  really, 
why  would  you  trust  me?  Some  of  you 
reading  this  know  me,  most  of  you  do 
not.  But  even  for  those  who  do,  I  ask 
the  question  again,  why  would  you  trust  me? 
You  read  my  musings,  you  see  me  at  events, 
you  know  what  I  do  here  at  CSO,  but  that’s 
about  it.  Hey,  I  could  just  be  making  all  this 
stuff  up! 

Now  I’m  not  saying  that  you  shouldn’t  trust 
me  (I  don’t  make  it  up).  I  am,  as  it  happens,  a 
very  trustworthy  person,  and  if  you  do  trust 
me,  then  that  probably  means  that  you  are  a 
very  trusting  person. 

The  point  I’m  making  is  that  we  live  in  a 
society  where  trust  is  very  often  given  without 
warrant.  If  you  compare  that  attitude  with  the 
one  that  inspires  the  hurdles  we  necessarily 
put  in  place  to  establish  electronic  or  business 
trust,  I  think  you  would  agree  that  we  set  up 
very  different  standards  for  trusting  someone 
depending  on  what  we’re  trusting  them  with. 
That’s  a  risk. 

In  our  businesses,  we  want  to,  and  should, 
be  able  to  trust  others,  but  unless  we  have  a 
real  basis  for  doing  so,  we  expose  our  orga¬ 
nizations  to  risk  that  they  may  or  may  not  be 
willing  to  accept. 

Trust  is  a  funny  thing.  We  give  it  a  lot  of 
lip  service  when  we  talk  about  electronic 
relationships,  but  we  automatically  want  to 
trust  a  stranger  because  he  or  she  appears  to 
be  nice,  well-dressed,  and  well-spoken.  They 
look  trustworthy. 

I  had  the  pleasure  of  spending  some  time 
with  Bruce  Schneier  last  month  and  got  the 
chance  to  speak  with  him  about  his  new  book. 
Liars  and  Outliers:  Enabling  the  Trust  that 
Society  Needs  to  Thrive.  Schneier,  in  his  usual 


thorough  fashion,  dissects  the  role  that  trust 
plays  in  society  and  breaks  down  why  it  works 
the  way  that  it  does. 

What  I  really  appreciate  about  his  book, 
though,  is  that  it  makes  me  think  about  the 
role  of  trust  at  the  most  basic  levels.  Some¬ 
times  we  need  to  be  reminded  of  those  basics 
when  we  get  caught  up  in  all  the  troublesome 
details  that  create  a  smokescreen  between 
what  we  are  focusing  on  and  what  we  should 
be  focusing  on. 

If  you  get  a  chance  to  read  Schneier’s  book 
(beg,  borrow  or  steal  a  copy-although  I’m  not 


sure  what  that  says  about  trust  if  you  steal  it), 
you  should  do  so...trust  me! 

-Bob  Bragdon,  bbragdon@cxo.com 

P.S.;  I  was  recently  introduced  to  a  whole  new 
way  of  thinking  about  security  when  a  CISO I 
was  dining  with  referred  to  another  business 
as  a  technology  petting  zoo.  I’m  going  to  have 
to  think  that  one  through  a  bit.  I’ll  get  back  to 
you  on  it. 


Advertiser  index 

IBM  Corp . 

. C2 

Avigilon . 

. 7 

Knowledge  Source  . . . 

. 31 

CSO . 

..10, 13,31 

LogRhythm . 

. .  15, 17, 19 

HID  Corp . 

. 3 

Quantum  Secure  Inc.  . 

. C3 

Quest  Software  Inc . C4 

Security  Smart  Newsletter ....  23 


Trend  Micro  Inc, 


SVP,  Group  Publisher  &  CMO  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  Director  of  National  Sales 

Per  Melker 

Account  Director,  Integrated  Sales  East 
Roz  Burke 

West  Coast  Regional  Director, 
Integrated  Sales 
Michelle  McHugh 
Account  Coordinator 

Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  GM,  Online  Operations 
Gregg  Pinsky 
SVP,  Online  Sales 

Brian  Glynn 

East  Coast  Account  Director,  Digital 

Richard  Hartman 

West  Coast  Account  Director,  Digital 
Erika  Karr 

Central  Account  Director,  Digital 
Carmen  Facas 

Director,  Online  Account  Services 
Danielle  Thorne 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 
Brett  Ferry,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 

Ellen  Daly 

Sr.  Director,  Event  Operations 
Deb  Begreen 

VP,  Content  Development  &  Events 
Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 
Sue  Yanovitch 
Marketing  &  PR  Manager 

Lynn  Holmiund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  766-5633 
or  stozeski(3idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460,  ext.  100, 
cso@theYgsgroup.com 


6  www.csoonline.com  April  2012 


Photo  by  Christopher  Navin 


avigilon.com 


•.:  .-.V5  ^-f 


. V-  . . . .  . . . . 

- 


CAPTURE  IT  WITH  CLARITY 


*iw|grj 


Avigilon’s  end-to-end  surveillance  solutions 
give  you  image  detail  no  other  system  can  match. 


Get  unprecedented  clarity  with  the  Avigilon  Control  Center  software  featuring  High-Definition 
Stream  Managemenf'^  (HDSM™)  technology,  and  the  broadest  range  of  megapixel  cameras 
(from  1  MP  to  29  MP).  Our  scalable  surveillance  solutions  require  minimal  bandwidth  and  storage 
while  producing  the  very  best  image  quality.  And  that  means  you  always  get  the  best  evidence. 


aviGiLon 


THE  BEST  EVIDENCE 


what’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

Beware 
of  Vendors' 
Aggregated 
Data  Clauses 


What  can  your  vendors  do  with 
your  data?  Michael  Overly  warns 
you  to  read  the  fine  print. 


A  growing  number  of  cloud  and 
other  technology  agreements 
include  grants  that  give  the 
vendor  broad  and  gener¬ 
ally  undefined  rights  to  take 
“aggregated  data”  derived  from  your  inter¬ 
action  with  them  and  use  it  for  unspecified 
purposes.  Businesses  should  be  aware  of 
these  clauses  and  revise  them  to  accomplish 
two  things:  1.  ensure  that  the  data  really  is 
aggregated  and  2.  reduce  risk. 

Aggregated  Data:  The  first  step  is  to 
ensure  that  “aggregated  data”  is  clearly 
defined  as  data  that  is  not  identifiable  to 
any  person  or  entity  (including  the  cus¬ 
tomer),  does  not  contain  any  of  the  custom¬ 
er’s  confidential  information  or  intellectual 
property,  and  is  combined  with  similar  data 
from  the  vendor’s  other  customers.  In  some 
cases— for  example,  health  information 
protected  by  HIPAA— there  are  specific 
requirements  mandated  by  law  for  de- 
identifying  data  in  this  context.  If  that  type 
of  data  is  at  risk,  the  vendor  must  guarantee 
it  will  de-identify  the  data  in  conformance 
with  all  applicable  legal  requirements. 

Reducing  Risk:  Even  if  the  data  is 
properly  aggregated,  there  is  still  a  pos¬ 


sibility  that  some  form  of  liability  could 
arise  from  the  vendor’s  use  of  the  data  (for 
example,  the  vendor  violates  a  law  in  using 
the  data  by  failing  to  properly  de-identify 
it),  and  a  claim  could  be  brought  against  the 
customer.  This  is  why  it  is  generally  a  good 
idea  to  require  the  vendor  to  indemnify  and 
hold  the  customer  harmless  from  any  and 
all  liability  that  arises  from  the  vendor’s 
use  of  the  data,  including  failure  to  properly 
aggregate  it. 

As  a  further  protection,  customers 
should  include  language  in  the  agreement 
that  the  customer  is  providing  the  data  on 
an  as-is  basis,  without  warranties  of  any 
kind.  That  is,  customers  should  assume  no 
liability  or  obligation  whatsoever  in  pro¬ 
viding  the  data  to  the  vendor.  Essentially, 
the  customer  is  doing  the  vendor  a  favor  in 
providing  the  data,  and  the  vendor  should, 
therefore,  assume  all  risks  associated  with 
using  it. 

—Michael  Overly 


BLOG  POST 

Lies,  Damn 
Lies,  Metrics, 
and  Baseball 

The  legendary  British  Prime 
Minister  Benjamin  Disraeli 
is  said  to  have  noted  that 
“There  are  three  kinds  of  lies: 
lies,  damn  lies,  and  statistics.” 
Much  of  the  technology  world  is  focused  on 
statistics  and  metrics.  You’ve  often  heard 
it  said  that,  “If  I  can’t  measure  it,  it  doesn’t 
exist.”  This  is  known  as  the  McNamara  fal¬ 
lacy,  named  after  the  business  tycoon  who 


became  a  Vietnam-era  Secretary  of  Defense 
and  who  appeared  to  embrace  this  failed 
strategy.  While  it  sounds  good  to  the  CEO’s 
ears,  it  also  encourages  other  executives  to 
think,  “If  my  boss  wants  to  measure  some¬ 
thing  that  doesn’t  exist.  I’ll  invent  it!”  This 
is  especially  true  whenever  leadership  is 
disconnected  from  the  field. 

As  big  data  gets  big  buzz,  promises  to 
create  new  measurements  will  become  self- 
fulfilling.  David  Hackworth,  reportedly  one 
of  the  most  decorated  soldiers  in  the  Viet¬ 
nam  War,  explores  this  premise  in  his  pref¬ 
ace  to  Sam  Adams’  book  War  of  Numbers: 
An  Intelligence  Memoir.  I  met  Hackworth  in 


S  www.csoonline.com  April  2012 


the  late  1990s  on  the  set  of  Joe  Bob’s  Drive-In 
Theater,  where  I  was  the  show’s  engineer  in 
charge.  Hackworth  didn’t  look  like  a  war 
hero.  While  he  was  small  of  stature,  his  leg¬ 
end  was  huge.  I  remember  him  as  always 
smiling  and  joking— cheerful  despite  the 
way  he  had  been  treated  by  his  superiors 
in  the  military.  His  message  was  that  the 
Vietnam  War  had  been  mismanaged  by 
disengaged  leaders  who  were  more  focused 
on  counting  bodies  than  on  strategy.  As  he 
clearly  demonstrates  in  his  books,  this  was 
a  disastrous  approach,  as  the  field  officers 
were  given  incentives  to  inflate  the  body 
count.  I  fear  that  this  may  happen  in  the 
InfoSec  world  if  we  become  more  focused 
on  metrics  than  strategy  and  on  providing 
glowing  reports  to  our  superiors  rather 
than  truth  telling. 

Warning  to  CISOs;  Beware  of  metrics. 

Too  much  focus  on  them  will  force  your 
teams  to  manage  to  those  metrics  instead  of 
telling  you  the  truth  about  your  organiza¬ 
tion’s  security  posture.  Hackworth  was  a 
truth  teller,  and  it  cost  him  his  career— he 
never  rose  above  colonel,  and  he  was  even¬ 
tually  drummed  out  of  his  beloved  military. 
But  history  has  vindicated  him.  The  repu¬ 
tations  of  his  superiors  are  tarnished.  Gen¬ 


erals  such  as  William  Westmoreland  and 
Creighton  Abrams,  whose  aggressiveness 
in  World  War  II  earned  them  accolades 
and  rank,  are  now  relegated  to  the  dustbin 
of  history. 

Ultimately,  metrics  must  be  balanced  by 
your  gut.  This  lesson  was  brought  home  to 
me  on  a  recent  flight.  Evidently  the  gentle¬ 
man  sitting  next  to  me  was  famous  because 
everyone  else  coming  down  the  aisle  was 
pointing,  staring  and  whispering  to  each 
other.  Eventually  I  said,  “Sir,  clearly  you 
are  famous  and  I  apologize  for  not  recog¬ 
nizing  you.”  He  waved  that  off  with  a  smile 
and  a  flick  of  his  fingers.  It  turns  out  this 
gentleman  manages  a  Major  League  Base¬ 
ball  team.  Fm  not  much  of  a  baseball  fan, 
but  he  proceeded  to  educate  me  about  the 
finer  points  of  the  game.  During  our  con¬ 
versation,  I  mentioned  the  movie  Money - 
ball,  which  was  in  theaters  at  the  time.  He 
scoffed  at  the  concept.  “This  game,”  he  said, 
“is  all  about  the  gut.  You  have  to  have  an 
instinct  for  the  game.”  He  said  that  while 
the  whole  sabermetrics  thing  worked  for 
a  short  time,  it  didn’t  take  the  rest  of  the 
league  long  to  figure  it  out.  It  was  a  short¬ 
term  solution  that  glossed  over  a  dearth  of 
gut.  These  metrics  stopped  being  useful 
once  opponents  understood  them,  and 
he  dismissed  the  Oakland  A’s  as  an  also- 
ran  team  once  again. 

I  live  in  Dallas,  and  the  Texas  Rang¬ 
ers  were  in  the  fifth  game  of  the  Ameri¬ 
can  League  Championship  Series  that 
night,  so  I  asked  this  baseball  legend 
to  tell  me  what  would  happen  in  that 
night’s  game.  He  predicted  the  Ranger’s 
destiny.  “The  Rangers  will  lose  tonight,” 
he  said,  “because  Justin  Verlander  is 
pitching.  They’ll  win  the  sixth  game 
and  go  on  to  the  World  Series,  where 
they  will  lose  in  seven.”  That’s  exactly 
what  happened.  He  didn’t  input  any 
numbers  into  a  spreadsheet  to  find  this 
out— in  fact,  he  didn’t  even  have  a  com¬ 
puter  with  him.  He  just  checked  his  gut. 
It  knew  the  answer. 

Somewhere  in  your  organization  is 
someone  with  gut— someone  who  can 
look  at  a  problem  and  intuitively  under¬ 
stand  it  at  its  deepest  level  and  probably 
solve  it.  Don’t  get  so  caught  up  in  mea¬ 
suring  things  that  you  don’t  do  a  gut 
check  once  in  a  while.  Find  the  David 
Hackworths  on  your  team  and  listen  to 


HOWTO 
REACH  US 

You  can  contact  us  directly 
or  post  your  thoughts  on 
specific  articles  and  blogs 
at  www.CSOonHne.com 

Derek  Slater,  Editor  in  Chief 

dslater(Sicxo.com 
508  935-4213 
Twitter:  (Sderekcsiater 

Bill  Brenner,  Senior  Editor 
bbrenner(§cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  @ms]oanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
Email:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints  and 
copyright  permissions,  please  con¬ 
tact  The  YGS  Group,  800  290-5460, 
ext.  129,  c50@theygsgroup.com. 


them.  They’ll  tell  you  the  truth.  They  won’t 
pull  things  out  of  the  ether  so  they  can  be 
“measured.”  Yes,  sycophants  are  more  fun, 
but  they  won’t  keep  your  organization  from 
being  hacked. 

I  say  all  this  because  I  was  in  Austin  for 
South  by  Southwest  Interactive.. .on  a  panel 
called  “Big  Data  Smackdown  on  Cyber¬ 
security”  with  Andrew  Hay  and  Mark 
Seward.  Don’t  get  me  wrong.  I’m  all  about 
big  data.  It  will  contain  lots  of  valuable 
information  that  IT  and  security  pros  can 
use.  But  I  worry  that  our  love  affair  with  big 
data  will  blind  us  to  the  obvious,  much  the 
same  way  the  body  count  emphasis  blinded 
our  military  leaders  and  kept  them  from 
actually  winning  the  Vietnam  War. 

At  the  end  of  the  day,  my  security  execu¬ 
tive  friend,  listen  to  your  gut.  It  won’t  let 
you  down. 

—John  Kindervag,  Forrester 


Photo  by  Jim  Young,  Reuters 


April  2012  www.csoonline.com  9 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 

You’ll  gain  exclusive  access  to  premium 
content  and  resources,  including: 

■  What  to  buy.  In-depth  reviews  of  security 


and  IT  solutions 


Executive  and  Peer  Interviews  and  Insights. 

Deep  dives  with  the  industry’s  top  thinkers 


Practical  tips.  How 
and  IT  professionals 


ai 


■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


“The  nature  of  these  groups  is  that  leaders  are 
important...but  the  group  itself  is  amorphous.”  page  i6 


Edited  by  Bill  Brenner 


SCIENTISTS  SAY  SOLAR  STORMS 
COULD  KNOCK  OUT  POWER  GRIDS 

The  sun  has  been  shedding  powerful  waves  of  solar  plasma  and  charged  particles.  It’s  just  a  matter  of 
time  before  one  of  these  storms  knocks  out  a  portion  of  our  critical  infrastructure,  experts  say. 


Last  month  a  massive  solar  flare  erupted 
from  sun  spot  that’s  nearly  the  size  of 
Jupiter.  For  days  thereafter,  scientists 
around  the  wforld  waited  to  see  if  the  solar 
plasma  and  charged  particles  the  event  sent 
toward  Earth  would  interfere  with  communica¬ 
tion  systems,  satellites,  computer  circuits  and 
even  the  electrical  grid. 

Fortunately,  northern  parts  of  the  globe 
got  only  a  spectacular  light  show  that  left  com¬ 
munications  systems  and  utilities  unscathed. 
But  we  may  not  always  be  so  lucky.  According 
to  a  study  published  in  January  and  commis¬ 
sioned  by  the  Department  of  Homeland  Secu¬ 
rity,  there  is  about  a  12  percent  chance  that 
within  the  next  decade  a  solar  storm  hitting 
Earth  could  be  powerful  enough  to  signifi¬ 
cantly  disrupt  satellites  and  the  power  grid. 

Experts  say  it  could  take  months- 
many  months,  or  even  more  than  a  year-to 
repair  the  grid  if  certain  critical  transformers 
were  damaged.  The  implications  for  the  popu¬ 
lation  of  affected  areas-who  would  be  left 
without  electrical  power  for  an  extended 
period-can’t  be  overstated,  as 
access  to  medical  care,  food, 
fuel  and  even  running  water 
might  be  cut. 

The  lack  of  preparedness  isn’t 
due  to  lack  of  understanding  of 
the  problem,  explains  Avi  Schnurr, 
chairman  and  CEO  of  the  Electronic 
Infrastructure  Security  Council.  “In  terms 
of  the  legitimacy  of  EMP  [electromagnetic 


mded 


at 


WatSti 


pulse]  as  a  concern,  there’s  really  no  credible 
scientific  opinion  anywhere  that  would  doubt 
it,"  says  Schnurr.  “The  [United  States]  did  a 
series  of  high-altitude  nuclear  tests  starting 
in  1962.  In  fact,  there  was  some  surprise 

that  the  purely  theoretical  idea  of 
EMP  causing  electrical  issues 
happened  so  readily,”  says 
Schnurr. 

Schnurr  explains  that  the 
first  tests,  known  as  Starfish 
Prime,  caused  electrical  issues  in 
Hawaii,  more  than  800  miles  away 
from  the  upper  atmosphere  test  explosion. 

A  natural  EMP,  which  could  be  created  by 


extreme  space  weather, 
could  cause  the  same 
type  of  damage  as  a  high- 
altitude  nuclear  explosion. 

To  better  prepare  for 
the  eventuality  of  severe 
space  weather  knocking 
out  portions  of  the  power 
grid,  large  transformers 
and  other  systems  that 
are  core  to  power  delivery 
need  to  be  protected. 

So  how  much  would  it 
cost  the  United  States  to 
build  some  resiliency  into 
the  power  grid?  Peter  Pry, 
a  former  staff  member 
of  the  congressional 
Commission  to  Assess  the 
Threat  to  the  United  States  from  Electromag¬ 
netic  Pulse  Attack,  explained  that  several 
hundred  of  the  big  electrical  transformers 
required  to  keep  the  electrical  grid  up  and 
humming  could  be  reinforced  at  a  cost  of  no 
more  than  $400  million. 

The  federal  government  is  moving  on  this 
concern,  albeit  slowly.  In  2010,  the  House 
unanimously  passed  the  Grid  Reliability  and 
Infrastructure  Defense  Act,  which  would 
amend  the  Federal  Power  Act  to  protect  criti¬ 
cal  bulk-power  systems  and  electric  infrastruc¬ 
ture.  Similar  legislation  is  being  considered  in 
the  Senate. 

-George  V.  Hulme 


Photo  by  NOAA 


April  2012  www.csoonline.com  11 


>>  BRIEriNC 


OPERATIONS 

DevOps  Outpaces  Safety  Measures 


Experts  debate  whether  the  process  changes  too  quickly  to  build  security  into  it 


For  years,  IT  has  operated  as  sets  of  separate  teams  (hopefully) 
working  toward  a  common  goal.  There  were  development  teams, 

IT  operations  teams,  quality-assurance  teams,  security  teams, 
and  those  who  deploy  and  manage  new  services.  Rarely  did  these 
departments  work  together  in  a  cohesive  fashion. 

That  is,  not  until  the  DevOps  movement,  which  couples  development 
and  operations  teams,  began  in  Belgium  in  2009.  It  has  steadily  spread 
worldwide  since.  While  common  sense  would  dictate  that  developers 
and  IT  operations  should  always  have  been  working  closely  together,  it 
didn’t  happen  in  practice.  In  big  enterprises,  it’s  the  goal  of  developers 
to  push  new  deployments  and  systems  changes,  while  operations  (and 
IT  security)  fare  better  when  systems  remain  static.  It’s  easier  to  ensure 
availability  and  security  when  things  don’t  change  rapidly. 

However,  when  IT  operations  and  development  merge  more  closely 
together,  the  number  of  deployments  can  skyrocket.  Some  organiza¬ 
tions,  such  as  Amazon,  claim  to  conduct  more  than  1,000  deployments 
a  day.  This  can  have  a  profound  effect  on  systems 
security-which  is  already,  in  traditional  operations, 
running  a  number  of  steps  behind  the  organization. 

That  is  why-if  DevOps  is  to  produce  sustainable 
and  secure  infrastructures-an  Important  evolution 
will  be  to  Integrate  security  practices  into  DevOps 
principles.  If  that’s  even  possible. 

That’s  where  Gene  Kim,  IT  author  and  former 
CTO  and  founder  of  security  firm  Tripwire,  and 
Joshua  Corman,  director  of  security  intelligence 
for  Akamai  Technologies,  come  in.  At  the  2012  RSA 
Conference  last  month,  the  two  rolled  out  a  new 
concept  for  Incorporating  security  practices  into 
DevOps.  They  call  It  Rugged  DevOps. 

Rugged  DevOps  incorporates  ideas  similar  to  those  of  Rugged  Soft¬ 
ware  Development,  and  the  goal  Is  to  make  sure  the  process  results  in  a 
defensible  infrastructure,  contains  operational  discipline,  and  includes 
situational  awareness  and  countermeasures.  “Rugged  DevOps  creates 
the  kind  of  security  the  CIO  wants,"  says  Corman. 

Part  of  the  challenge,  contends  Corman,  is  that  organizations  hate 
security.  “It’s  a  tax  and  prevents  IT  from  doing  what  it  wants  to  do. 


“Security 
is  a  tax  and 

prevents  IT  from 
doing  what  it 
wants  to  do." 

-JOSHUA  CORMAN, 
DIRECTOR  OF  SECURITY 
INTELLIGENCE,  AKAMAI 
TECHNOLOGIES 


Security  is  a  toxic  word,”  he  says.  However,  Rugged  DevOps  strives  to 
build  security  into  organizational  processes,  which  makes  it  the  kind  of 
security  that  can  succeed,  he  says. 

Rugged  DevOps  can  improve  security  in  part  by  helping  an  orga¬ 
nization  whittle  down  legacy  and  overly  complex  infrastructures  and 
redundant  business  processes,  although  that  may  sound  counterintui¬ 
tive,  given  DevOps’s  motto  of  “deploy  early  and  often.”  Kim  described 
an  organization  he  knew  that  cut  the  time  for  certain  processes  from 
six  hours  to  about  45  minutes.  “And  they  were  looking  for  more.  For 
instance,  it’s  possible  to  take  a  complex  deployment  process  of  1,300 
steps  down  to  less  than  100.  One  can  take  any  long,  arduous  process  and 
shrink  it  down,  take  complexity  and  work  out  of  the  system,”  Kim  says. 

“This  can  lower  the  attack  surface  by  retiring  their  old  infrastruc¬ 
tures  and  complexities,”  adds  Corman. 

Another  way  DevOps  can  simplify  IT  is  by  deploying  systems  in 
chunks  that  can  be  evaluated  for  how  they  will  function  in  the  produc¬ 
tion  environment.  In  agile  application  development, 
a  “sprint”  is  defined  as  a  single  deployable  unit  of 
code.  But,  as  Corman  and  Kim  note,  that’s  not  nec¬ 
essarily  enough  material  to  use  for  assessing  how 
secure  that  code  will  be  when  it’s  actually  used. 

Kim  described  how  that  problem  can  be 
ameliorated  with  an  important  shift  in  approach.  “A 
breakthrough  (for  security)  came  when  Agile  sprints 
started  to  include  shippable  code  and  the  basic 
components  of  the  environment  that  It  will  ship 
into,”  he  says. 

Doing  this  includes  some  common  processes 
in  even  the  earliest  states  of  development,  which 
brings  in  developers,  quality  assurance  testers, 
staging  and  production  teams,  and  security.  “Security  can  now  be 
integrated  into  the  early  stages  of  development.  Security  is  no  longer 
an  after-the-fact  process.  As  we  engage  with  these  teams,  security 
becomes  part  of  the  daily  process,”  says  Kim. 

“The  outcome  is  a  much  more  defensible  infrastructure,”  says 
Corman. 

-G.V.H. 


12  www.csoonline.com  April  2012 


Photo  by  istockphoto 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

[V]  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOoniine.com,  delivered  twice  a  week. 

[V[  CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

[7j  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

[Vj  CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

[V|  CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

[Vj  CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

[V|  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

[V|  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 

www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


>>  BRIEFING 


Houston,  You  Have  a  Problem 


then,  and  was  writing  a  series  called  “Access  (Out  of)  Control.” 
As  part  of  the  project,  I  interviewed  William  Likens,  chief  of 
application  development  and  technology  for  NASA’s  Ames 
Research  Center. 

Likens  left  the  agency  shortly  after  the  interview,  but  at 
the  time  we  talked  he  spoke  of  a  decentralized  and  fragmented 
network  without  much  interfacing  between  divisions  or  cen¬ 
tralization  of  systems. 

To  make  matters  worse,  he  told  me,  he  had  not  seen  a 
groundswell  of  support  among  managers  to  change  things.  One 
of  the  things  he  said  floored  me: 

“We  know  when  someone  employed  by  NASA  has  left,  but 
when  you  are  dealing  with  contractors,  it’s  much  harder  to 
know  when  they  are  gone,”  he  said.  “It’s  a  considerable  secu¬ 
rity  risk,”  he  went  on,  “because  people  often  retain  access  to 
systems,  sometimes  privileged  access,  after  their  work  at  NASA 
ends.  It  means  orphaned  accounts  could  be  exploited  not  only 
to  gain  network  access,  but  also  to  leverage  sensitive  network 
resources.” 

To  be  fair,  that  interview  is  just  a  snapshot  in  time.  Likens 
also  told  me  about  increasing  efforts  to  tighten  up  access 
control  despite  the  resistance,  and  back  then  you  didn’t  see  the 
paranoia  over  potential  data  breaches  that  you  see  today. 

NASA  ramped  up  its  security  efforts  in  the  following  years, 
but  I  always  wondered  if  it  would  be  enough. 

Apparently  not. 

NASA  and  its  supporters  dream  of  the  day  when  an 
American  will  once  again  walk  on  the  moon,  and  maybe  even 
Mars.  I  want  to  see  us  returning  to  space  travel  as  much  as  the 
next  guy. 

But  first,  I’d  like  NASA  to 
get  a  handle  on  its  security 
challenges. 

Security  may  not  be  the 
final  frontier,  but  it’s  a  frontier 
the  agency  remains  unfamiliar 
with.  —Bill  Brenner 


NASA  IS  in  the  news  for  a  security  lapse  again,  and  it  shouldn’t 
shock  you  one  bit.  The  embattled  space  agency  has  proven  a 
few  times  already  that  it  doesn’t  have  a  grip  on  its  information 
security  needs. 

The  latest  example:  48  NASA  laptops  have  been  stolen  in 
the  last  two  years,  Melanie  Pinola  reports  for  PCWorld,  a  sister 
publication  to  CSO.  She  writes: 

“It’s  not  only  businesses  that  need  to  worry  about  laptop 
security.  Even  NASA  laptops  are  vulnerable  to  theft  and  poor 
security  practices:  48  NASA  laptops  or  mobile  devices  were 
stolen  from  America’s  space  agency  between  April  2009  and 
April  2011,  including  one— unencrypted— laptop  contain¬ 
ing  control  codes  for  the  International  Space  Station  (ISS). 
Although  ISS  does  not  appear  to  be  in  jeopardy,  according 
to  a  NASA  public  affairs  officer  who  spoke  to  the  website 
SecurityNewsDaily,  the  NASA  security  breaches  underscore 
how  serious  and  difficult  a  problem  laptop  and  mobile  device 
theft  is— whether  you’re  a  government  agency,  a  small  business 
or  an  individual.” 

News  of  the  stolen  laptops  follows  last  year’s  reports  that 
six  NASA  servers  were  compromised.  At  the  time,  Tim  Greene 
wrote  for  another  sister  publication.  Network  WorMt 

“Six  NASA  servers  exposed  to  the  Internet  had  critical  vul¬ 
nerabilities  that  could  have  endangered  Space  Shuttle,  Interna¬ 
tional  Space  Station  and  Hubble  Telescope  missions— flaws  that 
would  have  been  found  by  a  security  oversight  program  the 
agency  agreed  to  last  year  but  hasn’t  yet  implemented,  accord¬ 
ing  to  a  report  by  the  agency’s  inspector  general.  NASA’s  CIO 
Linda  Cureton  says  she  has  patched  the  vulnerabilities,  but 
Inspector  General  Paul  Martin  found  that  NASA  still  has  no 
ongoing  program  for  spotting  and  correcting  similar  problems 
as  they  arise.. .according  to  the  report,  titled  ‘Inadequate  Secu¬ 
rity  Practices  Expose  Key  NASA  Network  to  Cyber  Attack.’” 

These  articles  always  take  me  back  to  an  inteiwiew  I  did 
six  years  ago  with  a  NASA  IT  admin.  Back  then,  the  seeds  of 
insecurity  had  been  planted  and  watered. 

I  was  working  for  TechTarget’s  SearchSecurity.com  back 


CSOoniine’5  new  salted 
Hash  blog  and  newsletter 
covers  the  news  as  it 
happens:  blogsxsoonline 
xom/blog/cso 


14,  www.csoonline.com  April  2012 


Photo  by  NASA 


MALWARE 


Duqu  Trojan  Written  in  Mystery 
Programming  Language 


The  mystery  of  the  Stuxnet-iike  Duqu  Trojan  has  deepened  with  the  news  that 
elements  of  its  payload  appear  to  have  to  have  been  written  in  an  unidentifi¬ 
able  programming  language. 

An  ongoing  analysis  effort  by  Kaspersky  Lab  researchers  has  now  uncov¬ 
ered  much  of  the  inner  programming  structure  of  the  software,  overwhelmingly 
written  quite  conventionally  in  C++. 

However,  delving  inside  the  Payload.dli  section  of  the  code,  the  team  discovered 
a  segment  that  defied  their  analysis.  The  code  runs  the  program’s  stealthy  communi¬ 
cation  with  its  command-and-control  servers. 

The  team  dubbed  the  mystery  code  the  “Duqu  Framework,”  but  has  not  been 
able  to  do  much  more  than  identify  it  as  an  object-oriented  language  of  considerable 
sophistication. 

“The  mysterious  programming  language  is  definitively  NOT  C++,  Objective  C,  Java, 
Python,  Ada,  Lua  and  many  other  languages  we  have  checked,”  says  Kaspersky  Lab 
engineer  Igor  Soumenkov. 

Payload.dli  seems  to  be  a  critical  element  of  the  Trojan.  According  to  Kaspersky, 
it  is  used  to  receive  instructions  from  remote  servers  and  to  relay  stolen  data,  and  it 
can  operate  independently  of  the  rest  of  the  program.  It’s  also  important  to  spread¬ 
ing  the  Trojan  to  other  Windows  machines. 

“Given  the  size  of  the  Duqu  project,  it’s  possible  that  an  entirely  different  team 
was  responsible  for  creating  the  Duqu  Framework,  as  opposed  to  the  team  that 
created  the  drivers  and  wrote  the  system  infection  exploits,”  says  Kaspersky’s  chief 
security  expert,  Alexander  Gostev.  “With  the  extremely  high  level  of  customization 
and  exclusivity  that  the  program¬ 
ming  language  was  created  with,  it 
is  also  possible  that  it  was  made  not 
only  to  prevent  external  parties  from 
understanding  the  cyberespionage 
operation  and  the  interactions  with 
the  [command-and-control  servers], 
but  also  to  keep  it  separate  from 
other  internal  Duqu  teams  who  were 
responsible  for  writing  the  additional 
parts  of  the  malicious  program.” 

Discovered  by  Budapest  Univer¬ 
sity  security  researchers  last  September,  Duqu’s  provenance,  intention  and  design 
matters  because  it  has  been  plausibly  connected  to  the  infamous  Stuxnet  malware 
that  many  believe  was  designed  to  disrupt  vulnerable  supervisory  control  and  data 
acquisition  systems  connected  to  Iran’s  nuclear  enrichment  program. 

The  connections  between  the  two  programs  are  contentious  but  eerie,  based  on 
their  use  of  common  elements.  What  is  clear  is  that  Duqu  is  sophisticated  enough  to 
be  the  work  of  a  well-supplied  and  skilled  team  trying  to  cover  its  tracks. 

But  in  that  respect,  they  have  failed,  as  they  were  doomed  to  do.  The  more 
sophisticated  a  piece  of  software,  the  more  unusual  its  programming  design  and 
structure  is,  and  this  expert-level  complexity  draws  attention  to  itself,  raising 
suspicions. 

Despite  turning  itself  into  a  hub  of  experts  on  the  Trojan,  Kaspersky  has  now 
appealed  to  programmers  for  help  in  identifying  the  programming  language  used  to 
create  the  Duqu  Framework. 

-John  E.  Dunn 


What  is  clear  is  that 
Duqu  is  sophisticated 
enough  to  be  the  work 
of  a  well-resourced 
and  skilled  team 
trying  to  cover 
its  tracks. 


l_agRMytl— im’ 

The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 

866-384-0713 

www.LogRhythm.com 


April  2012  www.csoonline.com  15 


SYSTEMS  HACKED 


>>  BRIEFINC 


HACKTIVISM 

Was  Anonymous  Really 
Hurt  by  the  LulzSec  Bust? 


Security 
Wisdom  Watch 


This  month,  let's  search  for 
the  bright  side  of  hacktivism- 
if  that's  even  possible 


Thumbs  down:  Hector  Xavier 
Monsegu.  This  unemployed, 
ZS-year-old  father  of  two  allegedly 
commanded  LulzSec’s  international 
team  of  hackers  from  his  nerve  center 
in  a  public  housing  project  in  New  York’s 
Lower  East  Side,  using  the  nickname 
“Sabu.”  His  runaway  ego  led  the  authori¬ 


ties  to  his  doorstep,  and  he  ultimately 
ratted  out  some  of  his  comrades.  Some 
friend. 


Experts  say  it's  too  early  to  tell  how  much 
damage  was  done  to  the  hacking  group 


N 


Thumbs  both  ways:  CloudFlare. 

CEO  Matthew  Prince  recently 
disclosed  that  last  summer  his 
company  provided  security 
protection  for  LulzSec,  the 
group  everyone  wanted  to 
take  down.  He  described  it  as  an 
intense  experience  that  was  at  times 
alarming,  but  ultimately  quite  educa¬ 
tional.  “You  can’t  pay  for  pen  testing  like 
this.  Once  we  realized  we  were  going 
to  survive,  it  was  actually  kind  of  a  fun 
experience  for  us,”  says  Prince.  No  doubt 
the  experience  was  valuable.  We  just 
hope  this  will  lead  to  better  intelligence 
about  these  groups  and  not  end  as  just 
another  fun  experiment. 

Thumbs  up:  Anonymous’  attack  on 
the  Vatican.  No,  we  do  not  condone 
attacks  on  the  Vatican  or  anyone 
else.  But  the  happy  result  of  this 
one  is  that  security  firm  Imperva-of 
which  The  Vatican  is  reportedly  a 
customer-got  a  gold  mine  of  insight  into 
how  the  group  operates.  Hopefully,  the 
resulting  report  will  help  others  shore  up 
their  sites  against  attack. 

Thumbs  up:  The  FBI.  The  real  suc- 
cess  of  the  agency’s  efforts  has  yet 
to  be  determined,  but  you  have  to 
give  the  FBI  credit  for  its  dogged¬ 
ness  in  going  after  these  groups. 

-B.B. 


When  an  FBI  official  crowed  to  Fox  News  last  month  that  “We’re  chopping  off  the 
head  of  LulzSec,”  was  there  truth  in  the  boast  or  was  it  just  hyperbole? 

Clearly  the  agency  chopped  something  off.  As  was  widely  reported,  law- 
enforcement  agents  on  two  continents  arrested  three  top  members  of  the  com¬ 
puter  hacking  group  LulzSec  and  charged  two  others  with  conspiracy,  based  on  evidence 
gathered  by  the  group’s  leader,  who  multiple  sources  say  had  been  secretly  working  for  the 
government  for  months,  at  least  since  his  arrest  last  summer. 

But  security  experts  say  it’s  too  early  to  tell  how  much  damage  has  been  done  to  the 
loose  affiliation  of  hacking  groups  that  operate  under  the  name  Anonymous. 

Nick  Selby,  a  Texas  police  officer  and  information  security  consultant,  likens  it  to  the 
military  taking  out  Osama  bin  Laden.  That  was  a  severe  blow  to  al-Qaida,  but  it  did  not 
eliminate  the  threat. 

“The  nature  of  these  groups  is  that  leaders  are  important  and  serve  as  role  models,  but 
the  group  itself  is  amorphous,"  he  says. 

Chet  Wisniewski,  senior  security  adviser  at  Sophos,  says  he  thinks  authorities  may  have 
“pretty  well  mopped  up”  LulzSec.  “But  they  were  a  pretty  small  group.  To  say  that  they’ve 
put  a  real  dent  in  the  Anonymous  movement-we  don’t  really  know  that  yet.” 

And  Graham  Cluley,  also  of  Sophos,  wrote  in  a  blog  post,  “It’s  cloud  cuckoo  land  to 
believe  that  the  hacktivist  element  of  Anonymous  will  fall  apart  because  of  this." 

Still,  both  Selby  and  Wisniewski  say  the  damage  could  be  significant  for  several 
reasons: 

First  is  a  quote  from  Cole  Stryker,  an  author  who  has  researched  Anonymous,  that  was 
reported  in  the  New  York  Times.  According  to  Stryker,  “Anonymous  is  a  handful  of  geniuses 
surrounded  by  a  legion  of  idiots.” 

Adding  to  that,  Rob  Rachwald  writes  in  a  post  on  the  Imperva  Data  Security  Blog,  “It 
seems  the  FBI  is  taking  down  the  geniuses  to  paralyze  the  idiots.” 

Selby  wants  no  association  with  Stryker’s  comment,  but  he  does  say,  “What  is  the  bar¬ 
rier  to  entry  for  somebody  who  wants  to  be  part  of  it?  It’s  extremely  low.  It  doesn’t  require 
massive  technical  skills-just  reasonable  knowledge  and  a  willingness  to  break  the  law.” 

The  second  reason  this  bust  could  damage  Anonymous,  Wisniewski  says,  is  that  among 
those  arrested  are  some  “strong  leaders.  I’m  surprised  they  messed  up.  Some  of  them  are 
really  quite  clever.” 

That,  he  says,  sends  a  message  that  even  the  smart  ones  can  get  taken  down. 

The  third  reason  is  that,  in  the  case  of  LulzSec,  one  of  their  own  turned  against  them. 

-Taylor  Armerding 


16  www.csoonline.cotn  April  2012 


CYBERWAR 


U.S.  Military  Logistics  Could 
Be  Vulnerable  to  Attack  by  China 

A  lengthy  report  prepared  for  the  U.S.  government  about  China’s  high-tech  preparation 
for  cyberwar  includes  speculation  about  how  a  conflict  with  the  United  States  could 
unfold-and  how  it  might  only  take  a  few  freelance  Chinese  hackers  working  on  behalf 
of  China’s  People’s  Liberation  Army  (PLA)  to  create  deadly  disruptions  in  the  U.S.  mili¬ 
tary  logistics  supply  chain. 

The  report  says  that  if  there’s  a  conflict,  “Chinese  offensive  network  operations  targeting 
the  U.S.  logistics  chain  need  not  focus  exclusively  on  U.S.  assets,  infrastructure  or  territory 
to  create  circumstances  that  could  impede  U.S.  combat  effectiveness.”  The  report’s  authors, 
Bryan  Krekel,  Patton  Adams  and  George  Bakos,  are  all  information  security  analysts  with 
Northrop  Grumman.  The  report,  “Occupying  the  Information  High  Ground:  Chinese  Capabili¬ 
ties  for  Computer  Network  Operations  and  Cyber  Espionage,”  focuses  primarily  on  China's 
cyberwar  planning  but  also  speculates  on  what  might  happen  in  any  cyberwar.  It  suggests 
that  China  would  make  a  preemptive  cyberstrike  weeks  ahead  of  any  physical  confrontation. 

The  report’s  authors  say  the  PLA  calls  this  “paralysis  warfare”  and  aims  to  disrupt  supply 
lines,  logistics  and  command-and-control  systems  that  support  U.S.  military  operations. 

“Unlike  traditional  air  or  ballistic  missile  strikes,  network  attack  and  exploitation  in 
particular  can  be  initiated  prior  to  the  start  of  traditional  hostilities  without  being  a  de-facto 
[casus  belli]  and  if  done  properly,  can  be  implanted  with  little  or  no  attribution  back  to  China,”  - 
the  report  says.  It  notes  that  a  2007  book  published  by  the  PLA,  called  Informationized  Joint 
Operations,  asserts  that  enemy  command-and-control  networks  and  logistics  systems  will 

be  among  the  first  elements  targeted  by  network 
forces  under  control  of  the  PLA.  The  report  ' 
details  many  disruption  methods,  including  BIOS 
attacks  to  destroy  hardware  components.  Since 
an  estimated  90  percent  of  U.S.  Transportation 
Command’s  (Transcom)  distribution  and  deploy¬ 
ment  transactions  are  handled  via  unclassified 
commercial  and  Department  of  Defense  networks, 
according  to  the  report,  this  means  Chinese 
hackers  would  also  be  going  after  civilian-sector 
companies.  The  report  points  out  that  there  has 
been  a  30  percent  increase  in  annual  network 
penetration  attempts  against  Transcom  networks. 

“If  the  Chinese  computer-network  espionage 
team  is  able  to  compromise  the  civilian  contractor 
network  via  even  a  rudimentary  spear-phishing  campaign,  they  will  likely  attempt  to  use  valid 
employee  network  credentials,  e.g.  certificates,  passwords,  user  names,  and  most  signifi¬ 
cantly,  network  permissions;  these  elements  provide  all  of  the  same  access  as  the  legitimate 
user  to  immediately  begin  navigating  around  the  contractor  network  to  compromise  other 
machines  and  establish  a  command-and-control  network  before  attempting  to  identify  high- 
value  data  to  penetrate  Transcom  networks  directly  from  the  contractor’s  now-compromised 
system,”  the  report  says. 

The  authors  of  the  report  contend  that  successfully  carrying  out  this  tactic  would  not  even 
require  China’s  official  PLA  militia  units  to  be  trained  in  cyberwar.  It  could  be  done  by  “purely 
civilian  freelance  operators  (elite  hackers).” 

The  report  concludes:  “The  strategic  impact  to  the  United  States  of  this  small  tactical- 
scale  operation  would  be  disproportionately  severe  relative  to  effort  and  resources  expended 
on  the  Chinese  side,  achieving  a  strategic  level  outcome  that  Chinese  military  writings 
on  information  warfare  routinely  laud  as  one  of  the  primary  benefits  of  a  well-planned 
computer-network  operations  campaign."  -Eiien  Messmer 


The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 

866-384-0713 

www.LogRhythm.com 


Photo  by  Senior  Airman  James  Beii.  U.S.  Air  Force 


Aprii  2012  www.csoonline.com  17 


DATA  BREACHED 


>>  BRIEriNC 


WEB  2.0 

Hackers  Infect 
Word  Press  Blogs 

Hackers  are  compromising  blogs  that  run  on  the  WordPress  3.2.1 
platform  in  order  to  infect  visitors  to  the  sites  with  the  notorious 
TDS5  rootkit,  according  to  researchers  from  the  security  company 
Websense. 

It’s  not  clear  how  the  websites  are  being  compromised,  but  there 
are  publicly  available  exploits  for  vulnerabilities  that  affect  WordPress 
3.2.1,  which  is  an  older  version  of  the  popular  blog  publishing  platform. 
Once  hackers  gain  unauthorized  access  to  a  blog,  the  attackers  inject 
malicious  JavaScript  code  into  its  pages  and  load  a  Java  exploit  from  a 
third-party  server. 

“From  our  analysis,  the  number  of  infections  is  growing  steadily 
(100+),’’  wrote  Websense  principal  security  researcher  Stephan 
Chenette  in  a  blog  post.  The  company’s  research  into  this  mass 
code-injection  campaign  indicates  that  whoever  is  behind  it  is 
experienced. 

The  Java  vulnerability  exploited  in  the  attack  is  known  as  CVE-2011- 
3544,  and  it  allows  the  remote  execution  of  arbitrary  code.  In  this  case, 
the  attackers  are  leveraging  it  to  install  a  version  of  the  TOSS  rootkit  on 
the  computers  of  people  visiting  the  website. 

“The  TOSS  rootkit  is  one  of  the  steaithiest  rootkits  in  the  wild,” 
Chenette  said.  “Its  goal  is  to  acquire  total  control  of  infected  PCs  and  use 
them  as  zombies  for  its  botnet.” 


The  vulnerability  started  being  targeted  by  exploit  toolkits  in 
December  2001.  These  attack  frameworks  usually  contain  exploits  for 
vulnerabilities  in  several  software  products,  such  as  Adobe  Reader, 

Flash  Player  and  Java. 

The  Websense  researchers  are  not  sure  if  this  mass  code  injection 
campaign  uses  an  updated  toolkit  or  an  entirely  new  one,  but  experts 
from  security  firm  M86  Security  have  tied  recent  WordPress  3.2.1  com¬ 
promises  to  the  Phoenix  Exploit  Kit. 

According  to  M86  Security  researcher  Daniel  Chechik,  the  people 
behind  these  attacks  are  luring  victims  to  the  infected  websites  by  send¬ 
ing  them  spam  emails  that  contain  malicious  links. 

It’s  not  clear  if  the  attacks  analyzed  by  M86  Security  and  Websense 
are  perpetrated  by  the  same  gang,  but  since  they  both  target  WordPress 
3.2.1  blogs,  webmasters  are  urged  to  upgrade  to  the  latest  version  of 
WordPress,  which  at  this  time  is  3.3.1. 

-Lucian  Constantin 


APP  DEVELOPMENT 

Alliance  Aims  to  Improve  Software  in  Development 


oftware  is  spreading  like  the  plague. 

It’s  infecting  phones,  cars,  household 
appliances,  medical  gear,  office  equip¬ 
ment  and  even  TVs.  And  where  software 
spreads-such  as  to  supervisory  control  and 
data  acquisition  (SCADA)  systems-Internet 
connectivity  is  sure  to  follow. 

The  challenge  we’ve  seen  in  recent  years- 
even  in  highly  controlied  environments-isthat 
these  systems  are  susceptible  to  attack  just 
as  traditional  applications  are.  This  creates 
risk  and  opportunity.  The  risk  is  that  critical 
systems  will  be  found  vulnerable,  perhaps 
in  a  Stuxnet-like  attack  that  strikes  crucial 
systems  in  the  United  States  or  Europe.  And 
therein  resides  an  opportunity  for  security  and 
software  quality  assurance  firms  to  reach  a 
growing  new  market. 

Software  development  testing  firm  Cover¬ 
ity  has  joined  forces  with  Wind  River,  which 
makes  embedded  and  mobile  software,  to 
integrate  Coverity’s  testing  platform  with  Wind 


River’s  embedded  software  system.  Cover¬ 
ity  will  also  provide  an  edition  of  its  Coverity 
Static  Analysis  that  is  pre-configured  for  Wind 
River  Workbench,  which  means  it  will  support 
Wind  River’s  Linux  and  VxWorks  real-time 
operating  systems. 

The  idea,  explains  Zack  Samocha,  senior 
director  of  product  management  at  Coverity, 
is  to  provide  a  way  for  development  teams  to 
bring  security  into  the  embedded  development 
process  and  squash  security-related  bugs  as 
the  code  is  being  written.  Samocha  makes  an 
argument  that  has  long  been  supported  by 
software  security  vendors:  that  catching  flaws 
early  in  the  development  process  is  more  cost- 
effective  than  letting  them  slip  into  production. 

“Development  firms  are  always  under 
pressure  to  produce,  and  get  their  products 
to  market,”  says  Samocha.  “This  integration 
helps  them  to  catch  and  fix  security  vulnerabil¬ 
ities  quickly  and  early  in  the  process,  without 
slowing  down  development.” 


Embedded  developers  are  going  to  need 
all  the  help  they  can  get.  VDC  Research  Group 
recently  published  a  report  that  shows  that 
more  than  50  percent  of  engineers  who  were 
surveyed  expect  the  products  they’ll  be  devel¬ 
oping  in  two  years  will  have  Web  components. 
That’s  a  jump  of  20  percent  from  projects 
being  worked  on  today. 

Coverity  also  announced  it  has  formed  the 
Coverity  Security  Research  Laboratory.  The  lab 
will  investigate  the  causes  of  existing  and  new 
security  defects,  Samocha  says. 

“Anyone  who  develops  embedded  systems 
should  take  a  lesson  from  what  happened  with 
software  and  operating  system  vendors  in  the 
past  decade:  They  became  targets  of  both  bad 
guys  and  security  researchers  who  evaluated 
those  systems  for  flaws,”  says  Pete  Lindstrom, 
research  director  at  Spire  Security.  “There’s  no 
reason  to  believe  SCADA  and  other  embedded 
systems  will  be  any  different.” 

-G.V.H. 


18  www.csoonline.com  April  2012 


Photo  by  iStockphoto 


EXPLOITS  AND  ATTACKS 

DDoS  Bot  Includes 
New  Exploit  Attacking 
Apache  Servers 

The  latest  version  of  a  distributed  denial-of-service  (DDoS)  bot  called  Armaged¬ 
don  integrates  a  relatively  new  exploit  known  as  Apache  Killer,  DDoS  mitigation 
vendor  Arbor  Networks  says.  The  Apache  Killer  exploit  was  released  in  August 
2011.  It  exploits  a  vulnerability  in  the  Apache  Web  server  by  sending  a  specially 
crafted  range  HTTP  header  to  trigger  a  denial-of-service  condition. 

The  attack  is  particularly  dangerous  because  it  can  be  successfully  executed 
from  a  single  computer  and  the  entire  targeted  machine  needs  to  be  rebooted  in 
order  to  recover  from  it. 

“The  Kill  Apache  attack  abuses  the  HTTP  protocol  by  requesting  that  the  target 
web  server  return  the  requested  URL  content  in  a  huge  number  of  individual  chunks, 
or  byte  ranges,"  said  Arbor  research  analyst  Jeff  Edwards  in  a  blog  post  on  Tuesday. 
“This  can  cause  a  surprisingly  heavy  load  on  the  target  server.” 

The  vulnerability  exploited  by  Apache  Killer  is  identified  as  CVE-2011-3192  and 
was  patched  in  Apache  HTTPD  2.2.20,  a  week  after  the  exploit  was  publicly  released. 
Apache  2.2.21  contains  an  improved  fix. 

This  is  the  first  time  that  Arbor  researchers 
have  seen  this  exploit  being  integrated  into  a 
DDoS  botnet  client  that’s  actively  being  used 
by  attackers,  Edwards  said. 

Armageddon  is  a  Russian  malware  family 
designed  specifically  to  launch  DDoS  attacks. 

Because  it  is  sold  as  a  toolkit  on  underground 
forums,  there  is  more  than  one  Armageddon- 
powered  botnet  on  the  Internet. 

Aside  from  the  Apache  Killer  exploit,  the 
latest  Armageddon  version  also  incorporates 
other  application-layer  DDoS  techniques  that 
target  popular  Internet  forum  platforms  such  as  vBulletin  or  phpBB,  but  these  are 
not  particularly  ground-breaking  developments,  Edwards  explained  via  email. 

Arbor’s  researchers  have  cracked  the  encryption  scheme  used  by  the 
Armageddon  botnets  to  communicate  securely  with  their  command-and-control 
servers,  and  the  investigators  found  that  in  at  least  one  case,  an  Armageddon 
botnet  was  used  to  launch  politically  motivated  DDoS  attacks  related  to  the  Russian 
elections. 

Other  denial-of-service  exploits,  such  as  Slowloris,  started  out  as  proof-of- 
concept  programs  and  were  later  integrated  into  DDoS  bots,  so  Apache  Killer  might 
move  along  a  similar  path  to  widespread  adoption,  Edwards  said. 

The  security  researcher  couldn’t  estimate  how  many  Apache  Web  servers  are 
still  vulnerable  to  the  Apache  Killer  exploit,  but  said  that  he  wouldn’t  be  surprised  if 
it’s  a  significant  percentage  of  them. 

To  avoid  falling  victim  to  this  kind  of  attack,  system  administrators  should 
upgrade  their  Apache  servers  to  the  latest  available  version  or  should  implement 
known  workarounds. 

“There  is  an  update  to  the  Apache  mod^security  module  that  attempts  to  address 
this  type  of  attack  by  filtering  requests  with  ‘Range’  headers  that  are  too  large,” 
Edwards  said.  “However,  the  difficulty  lies  in  setting  an  acceptable  threshold  for  ‘too 
large.’” 

-LC. 


In  at  least  one  case, 
an  Armageddon 
botnet  was  used  to 
launch  politically 
motivated  DDoS 
attacks  related 
to  the  Russian 
elections. 


■ 

Z 

lU 

z 

(O 


The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 

866-384-0713 

www.LogRhythm.com 


April  2012  www.csoonline.com  19 


0  Z IAI3IS 


By  Michael  Fitzgerald 


Layered  Defense  for  Applications 

Securing  your  applications  has  never  been  more  important,  and  there 
are  lots  of  ways  to  do  just  that— as  long  as  you  don’t  mind  onions 


What  do  application 
security  programs  and 
onions  have  in  com¬ 
mon?  Layers,  says  Ken 
Pfeil,  global  security 
officer  at  Pioneer  Asset  Management. 

Securing  corporate  applications  is  a  top 
priority  for  most  security  executives.  Appli¬ 
cation  vulnerability  was  the  most  feared 
threat  for  73  percent  of  respondents  to  a 
2011  study  by  (ISC)2,  topping  mobile  devices, 
viruses  and  worms,  and  internal  employees. 

But  while  some  companies  might  try 
to  secure  applications  by  investing  in  a 
tool— such  as  penetration  testing  or  Web 
application  firewalls— a  robust  application 
security  program  should  take  a  multi-lay¬ 
ered  approach  that  addresses  the  operating 
system,  the  network  layer  and  the  develop¬ 
ment  of  the  code  itself. 

Pfeil,  for  instance,  aims  his  application 
security  efforts  at  a  variety  of  targets,  from 
business  executives  to  developers.  His 
program  includes  developing  business- 
risk-analysis  reports,  scheduling  training 
sessions  with  development  leads  to  gain 
their  buy-in  (and  hopefully  turn  them  into 
security  advocates),  and  running  a  “How  to 
Hack  Web  Apps”  class  twice  a  year.  These 
classes,  he  says,  encourage  developers  to 
build  security  techniques  into  their  code 
from  the  start,  such  as  by  applying  Micro¬ 
soft’s  Managed  Code  Security  Guidelines 
and  criteria  from  the  Web  Application 


Security  Consortium.  Ultimately,  Pfeil 
says,  his  team  uses  47  application  secu¬ 
rity  checks,  from  basics  such  as  cross-site 
scripting  to  less-obvious  measures  that  he 
says  are  proprietary  and  can’t  be  shared. 

No  Silver  Bullet 

Such  a  nuanced  approach  is  necessary  to 
address  today’s  continuously  changing 


threat  landscape  and  complex  application 
environments,  including  mobile  apps,  Web 
2.0,  custom  code,  commercial  software,  and 
departmental  and  outsourced  applications. 
With  every  code  update,  a  new  risk  can  be 
created,  and  even  interactions  between 
applications  can  cause  unanticipated  secu¬ 
rity  problems.  This  complexity  explains 
why  there  is  no  silver  bullet  for  application 


20  www.csoonline.com  April  2012 


Photo  by  J.  Clark 


security;  instead,  it  requires  a  disciplined 
effort  that  involves  time,  money  and  people. 

Relying  on  tools  alone— such  as  pen¬ 
etration  tests  that  simulate  attacks  on 
networks  and  applications— is  a  bit  like 
playing  whack-a-mole,  according  to  Andy 
Ellis,  CSO  at  Akamai  Technologies.  “They 
only  show  you  how  bad  your  code  is,”  he 
says.  Finding  the  problem  doesn’t  solve  the 
problem,  and  pen  tests  also  don’t  reveal  all 
your  code  gaps.  At  Akamai,  for  instance, 
after  a  defect  was  revealed  through  pen 
testing,  “we  had  a  security  researcher  look 
in  the  [code]  library,  and  lo  and  behold,  we 
had  20  other  defects,”  Ellis  says. 

Jennifer  Bayuk,  a  security  consultant 
and  program  director  of  the  Systems  Secu¬ 
rity  Engineering  program  at  the  Stevens 
Institute  of  Technology,  is  similarly  skepti¬ 
cal  of  “bolt-ons”  that  sit  on  the  application 
and  check  how  secure  it  is,  such  as  Web 
application  firewalls.  “You  use  a  Web  appli¬ 
cation  firewall  because  your  code  is  buggy 
and  you  know  it,”  she  says. 

Due  for  a  Change 

The  Ponemon  Institute’s  2011  “State  of  Web 
Application  Security  Survey”  suggests  com¬ 
panies  barely  have  a  handle  on  their  appli¬ 
cations,  never  mind  on  their  application 
security.  A  quarter  of  respondents  could 
not  estimate  the  number  of  applications 
their  firm  had,  and  a  fifth  did  not  test  appli¬ 
cation  security  at  all.  At  those  firms  that  did 
test,  40  percent  tested  only  5  percent  of  their 
applications,  and  two-thirds  tested  less 
than  25  percent  of  their  applications. 

In  addition,  the  (ISC)2  study  found  that 
expenditure  on  application  vulnerability 
management  was  just  under  11  percent  of 
network  infrastructure  spend.  And  despite 
the  concern  about  application  security,  that 
number  is  actually  projected  to  fall  to  about 
10  percent  by  2015. 

Rob  Ayoub,  author  of  the  (ISC)2  report 
and  now  a  sales  engineering  manager  at 
Fortinet,  notes  that  over  the  last  five  years, 
three  major  changes  have  occurred  in 
security  vulnerabilities;  Operating  system 
vulnerabilities  dropped  while  application 
vulnerabilities  rose;  Apple  products  and 
specialized  systems  became  bigger  targets; 
and  remote  exploitation  of  critical  vulner¬ 
abilities  increased.  Despite  these  changes, 
“many  organizations  continue  to  address 
security  the  same  way  they  have  for  years,” 


writes  Ayoub,  who  was  program  manager 
at  Frost  and  SuUivan  at  the  time  of  the  study. 
“It  is  imperative  for  CXOs  to  balance  their 
existing  budgets  and  security  postures 
with  the  latest  trends.” 

Getting  to  the  Code 

While  CSOs  can  certainly  make  smart  prod¬ 
uct  purchases  to  improve  application  secu¬ 
rity,  it  would  be  better  to  spend  more  effort 
on  developing  better  software  and  testing. 
An  example  is  setting  standards  for  naming 
function  commands,  says  Bayuk.  She  sug¬ 
gests  that  companies  start  with  coding  stan¬ 
dards  that  include  security  and  then  ensure 
that  the  quality-assurance  cycle  includes 
functional  security  testing  and  abuse  cases. 
When  developers  follow  similar  naming 
conventions  for  program  commands  and 
data  field  standards,  it  becomes  easier  to 
automate  methods  of  finding  code  vulner¬ 
abilities,  Bayuk  says. 

Companies  should  also  consider 
building  code  inventories,  she  says,  so  they 
know  which  code  corresponds  to  which 
business  process. 

The  rise  of  the  Web  has  made  coding 
standards  more  important,  in  part  because 
browsers  are  more  forgiving  of  code  errors. 


Bayuk  says.  If  each  developer  can  inde¬ 
pendently  determine,  for  instance,  what  a 
backslash  represents,  it  could  result  in  a 
code  base  in  which  a  single  command  takes 
on  multiple  meanings.  If  a  vulnerability  is 
due  to  one  use  of  such  a  command,  it  will  be 
difficult  to  tell  which  instance  of  that  com¬ 
mand  is  at  fault. 

Companies  may  be  more  secure  if  they 
write  their  own  applications,  assuming 
they  have  the  resources  to  do  so,  Bayuk 
says.  At  Bear  Steams,  where  she  was  CSO 
until  2008,  one  group  wrote  its  own  Web 
server.  “[It]  never  had  a  finding  in  our  pen¬ 
etration  studies,”  she  says,  and  it  was  faster 
than  off-the-shelf  offerings.  That  sort  of 
specialized  application  will,  as  a  rule,  be 
harder  to  hack  than  commercial  software. 


But  writing  your  own  specialized  applica¬ 
tions  will  also  require  more  expertise  and 
time  than  buying  off-the-shelf  products. 

The  Time  Trade-Off 

Adding  security  to  the  beginning  of  the 
application  development  processes,  of 
course,  will  often  slow  down  code  devel¬ 
opment.  As  a  result,  CSOs  may  face  push- 
back  if  they  do  their  jobs,  which  makes  it 
harder  to  increase  vulnerability  testing 
during  development,  Pfeil  says.  Projects 
have  fixed  costs  and  delivery  dates,  which 
can  make  business  units  reluctant  to  spend 
a  few  extra  days  testing  for  vulnerabilities. 
Many  software  teams  build  code  first  and 
then  “retroactively  ask  security  if  they  have 
a  problem  with  it,”  Pfeil  says.  Few  compa¬ 
nies  set  up  a  framework  that  builds  security 
controls  into  their  software  development 
lifecycle,  he  says. 

Such  push-back  is  the  reason  Pfeil  and 
other  forward-thinking  CSOs  do  the  extra 
politicking  required  to  ensure  buy-in  from 
other  executives.  “As  business  security 
people,  the  problem  is,  we  impact  time  to 
market  and  cost  of  goods  sold,”  says  Roland 
Cloutier,  vice  president  and  CSO  at  ADR 
As  a  result,  he  says,  CSOs  have  to  build  the 


case  that  it’s  worth  it  to  build  security  test¬ 
ing  into  every  step  of  the  development  pro¬ 
cess,  because  ultimately  it  will  mean  better 
code  at  the  end,  with  less  complexity  and 
less  re-engineering  costs. 

Cloutier  also  advocates  taking  a  multi¬ 
layered  approach.  “It’s  time  to  start  looking 
at  the  whole  delivery  architecture,”  he  says, 
from  the  back-end  inventory  database  to 
the  front  end  where  a  payment  method  is 
specified.  “We  have  to  test  the  application’s 
relationship  with  the  rest  of  the  system.” 

Of  course,  for  large  organizations  with 
thousands  of  developers  working  on  hun¬ 
dreds  of  products,  looking  at  the  entire 
application  environment  is  no  small  effort. 
One  practice  that  can  make  it  easier  is  to 
integrate  a  scanning  tool  into  the  develop- 


Relying  on  tools  alone-such  as  penetration 
tests  that  simulate  attacks  on  networks 
and  applications-is  a  bit  like  playing 

whacK-a-mole. 


April  2012  www.csoonline.com  21 


>>  TOOLBOX 


Application  Security:  Tools  and  Techniques 


In  a  multi-layered  application  security  strategy,  there  is  plenty  of 
room  for  tools  and  products  that  take  a  variety  of  approaches  to 
closing  gaps  and  addressing  vulnerabilities.  Here  are  a  few  such 
tools: 

Dynamic  validation  testing:  Unlike  static  testing,  dynamic 
testing  examines  applications  as  they  are  executed.  It’s  especially 
useful  for  databases  at  the  back  end  of  an  application,  says  Kenneth 
van  Wyk,  president  of  KRvW  Associates,  a  security  consultancy. 
Dynamic  validation  burrows  all  the  way  down  to  the  file 
information  level  to  see  if,  for  instance,  transactions 
are  being  encrypted.  A  variety  of  tools  perform 
this  testing,  such  as  Avalanche,  an  open-source 
tool  that  shows  where  crashes  occur  in  a 
program,  and  Dmalloc,  a  library  of  tools  for 
finding  memory  leaks.  Of  course,  it’s  impor¬ 
tant  to  test  only  on  test  servers,  not  on  live 
production  apps. 

Van  Wyk  encourages  CSOs  to  pick  up 
Microsoft’s  book  The  Security  Development 
Lifecycle  and  read  the  chapter  on  testing.  Besides 
dynamic  validation  testing,  it  discusses  techniques 
such  as  fuzz  testing,  or  bombarding  an  application  with 
malformed  data  to  see  how  it  responds.  It’s  more  expensive 
than  dynamic  validation  testing,  but  it  can  be  automated. 

Application  firewalls:  At  AutoAnything,  penetration  testing 
is  supplemented  with  a  Web  application  firewall  purchased  about 
three  years  ago  from  Breach  Security  (now  part  of  Trustwave). 

The  firewall  can  be  configured  to  recognize  if  data  that  looks  like 
passwords  or  credit  card  information  is  being  transferred  in  the 
clear,  says  Parag  Patel,  AutoAnything’s  CTO.  And  if  the  date  is 
unencrypted,  the  software  “can  automatically  reset  connections  if 
it  recognizes  inappropriate  data  being  passed  through,”  he  says.  A 
local  provider  of  outsourcing  services  performs  the  data  monitoring. 


Patel  says  his  firm  bought  the  firewall  in  part  to  ensure  compli¬ 
ance  with  PCI  standards.  While  his  team  engages  in  application-level 
testing,  penetration  testing  and  manual  code  inspections,  "it’s 
difficult  to  catch  everything,”  he  says.  “The  Web  application  firewall 
gives  you  a  kind  of  insurance  policy.” 

Penetration  testing:  Once  organizations  understand  where 
penetration  testing  fits  into  an  overall  application  security  program, 
it  can  play  a  vital  role.  Andy  Ellis,  C50  at  Akamai  Technologies, 

says  he’s  excited  about  the  emerging  Penetration  Testing 
Execution  Standard  because  it  will  help  companies 
gain  this  needed  perspective.  “It’ll  have  a  huge 
impact;  it’ll  really  get  people  talking  about 
how  complex  pen  testing  is,”  says  Ellis. 

(Learn  more  about  the  standard  at 
www.pentest-standard.org.) 

Threat  modeling:  With  threat  modeling 
tools  and  techniques,  application  developers 
can  examine  the  design  of  the  application  and 
brainstorm  about  flaws  that  design  might  cre¬ 
ate.  “I’m  a  huge  fan  of  threat  modeling  during  the 
design  process  of  an  application,”  says  van  Wyk.  He 
worked  with  a  company  that  needed  to  update  its  credit 
card  payment  system  to  be  PCI  compliant.  The  threat  model 
revealed  that  the  company’s  Linux  servers  were  vulnerable  in  a  way 
that  could  expose  its  entire  credit  card  database,  and  also  found 
some  flaws  in  the  management  of  its  SSL  certificates.  “You’d  never 
find  that  with  a  penetration  test,”  he  says. 

Ellis  cautions  that  threat  modeling  works  best  for  companies 
that  have  their  basic  security  taken  care  of.  Most  don’t,  he  says.  “If 
you’re  trying  to  worry  about  attacks  from  Anonymous  or  the  Chinese 
or  the  Russian  business  network,  but  your  basics  aren’t  in  place, 
you’re  looking  at  the  wrong  thing.  Until  your  basics  are  in  place, 
anybody  can  get  at  you.”  -M.F. 


er’s  toolset.  “Give  them  an  option  that  says, 
‘I  would  like  my  code  scanned  tonight.’  Then 
when  they  come  in  in  the  morning,  their 
code  is  tested.”  Similar  options  are  included 
in  any  number  of  toolkits  from  big  and  small 
vendors,  including  IBM,  Hewlett-Packard, 
Veracode  and  Qualys.  “They  all  have  great 
toolsets  that  integrate  into  developer  envi¬ 
ronments,”  says  Cloutier. 

Communication  Is  Key 

Even  more  complexity  is  added  when  busi¬ 
ness  departments  hire  or  outsource  devel¬ 
opment  without  IT  involvement.  In  those 
cases,  CSOs  need  to  ensure  that  all  devel¬ 


opers  understand  basic  security  concepts 
such  as  encrypting  credit  card  and  per¬ 
sonal  information. 

This  is  often  a  matter  of  developing 
relationships  with  executives  in  all  busi¬ 
ness  departments  to  keep  tabs  on  what’s 
being  developed,  says  Parag  Patel,  CTO  at 
AutoAnything.  At  the  online  automotive 
retailer,  C-level  execs  regularly  discuss  new 
projects  to  ensure  that,  for  instance,  if  mar¬ 
keting  hires  a  firm  to  build  a  mobile  website, 
Patel  is  aware  of  it  and  can  ensure  that  the 
effort  complies  with  security  and  manage¬ 
ment  policies. 

In  many  ways,  organizational  under¬ 


standing  and  awareness  of  application 
security  is  maturing,  especially  as  applica¬ 
tion  portfolios  grow  more  complex,  thanks 
to  mobile  apps  and  the  Web.  Akamai  CTO 
Ellis  notes  that  it’s  a  relatively  new  concern 
to  build  security  into  the  application.  SSL 
and  SSH,  he  notes,  did  not  exist  when  the 
Web  was  first  created.  As  applications  have 
become  more  complex  and  encrypted  pro¬ 
tocols  have  spread,  “we  do  a  lot  more  work 
to  defend  the  application,”  he  says.  ■ 


Freelance  writer  Michael  Fitzgerald  is  a 
frequent  contributor  to  CSO.  Send  feedback  to 
editor  Derek  Slater  at  dslater@cxo.com. 


22  www.csoonline.com  April  2012 


Photo  by  Volpelino 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees—saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets—will  read 
and  retain  the  information. 


^iTy 


/ 


/  SS” 
.5s, 


VAcy 


Subscribe  today! 


At 


ANo 


^THo, 


>A<ff 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit; 

www.SecuritySmartNewsletter.com 


£?353St?- 


ssS5^ 

i'5£55't?~ 


°">Voc, 

Th 


i,l 

wl  ^  to 


in 


tf.eU5 


For  more  information  please  visit 

WvvW.SecuritySmart.com 


Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2012  CXO  Media  Inc. 


CSO 


BUSINESS  RISK  LEADERSHIP 


COVER  STORY  |  GOVERNANCE,  RISK  AND  COMPLIANCE 


Risk  o/GRCP 


Does  governance,  risk  and  compliance  (GRC)  really  pay  off? 

It’s  a  valid  question  for  any  organization  that’s  looking  to 
formulate  a  corporate  strategy  and  implement  software  for 
managing  GRC. 

For  Fiserv,  the  answer  is  an  emphatic  “yes.”  The  busi¬ 
ness  was  founded  in  1984  and  currently  has  about  19,000  employees 
operating  out  of  some  200  locations  worldwide. 


Governance,  risk  and 
compliance  (GRC) 
can  be  a  dauntingly 
complex  undertaking. 

But  for  Fiserv,  the 
alternative  was  even 
more  complicated. 

By  Bob  Violino 


Fiserv  is  a  global  provider  of  information 
management  and  electronic  commerce  sys¬ 
tems  for  the  financial  services  industry,  and 
offers  integrated  technology  and  services  for 
clients.  It  provides  technology  solutions  in 
five  areas:  payments,  processing  services,  risk 
and  compliance,  customer  and  channel  man¬ 
agement,  and  transforming  data  into  action¬ 
able  business  insights. 

The  company  has  more  than  16,000  cli¬ 
ents  worldwide,  including  banks,  credit 
unions,  mortgage  lenders  and  leasing  com¬ 
panies,  brokerage  and  investment  firms,  and 
other  businesses.  Fiserv  helps  these  clients 
address  challenges  such  as  attracting  and 
retaining  customers,  preventing  fraud  and 
meeting  regulatory  requirements. 

In  2008,  Fiserv  decided  to  embrace  a  for¬ 
mal  GRC  strategy  “because  it  was  the  best 
way  to  manage  through  a  thicket  of  simulta¬ 
neously  occurring  changes  in  our  business 
and  regulatory  environment,”  says  Murray 
Walton,  senior  vice  president  and  chief  risk 
officer. 

The  company’s  business  strategy  has 
evolved  in  recent  years  from  a  holding  com¬ 


pany  to  an  integrated  operating  model,  cre¬ 
ating  greater  complexity  in  the  organization 
and  the  solutions  it  provides  to  clients,  Wal¬ 
ton  says. 

“The  external  environment  has  also 
changed,  and  today  we  face  more  govern¬ 
ment  regulation  and  non-government  stan¬ 
dards,  such  as  [PCI  DSS],”  Walton  says. 
‘Navigating  all  these  challenges  at  the  same 
time  required  a  much  more  structured 
approach  to  governance,  risk  and  compli¬ 
ance  than  our  previous  spreadsheet-driven 
methods.” 

Before  deploying  Agiliance’s  GRC  soft¬ 
ware,  called  RiskVision,  “I  would  have 
characterized  our  environment  as  diver¬ 
sity  on  steroids,”  Walton  says.  “We  had 
diversity  of  understanding  about  what  risk 
assessment  and  monitoring  means.  We 
had  diversity  of  understanding  about  what 
was  required  or  expected,  and  diversity  of 
methods  and  practices.  As  a  result,  we  had 
an  absolutely  enormous  challenge  to  try  to 
develop  a  picture  of  our  enterprise  risk  and 
enterprise  compliance.” 

There  was  no  common  understanding 


Z4  www.csoonline.com  April  2012 


Photo  by  James  Schnepf 


Fiserv  SVP  and  Chief 
Risk  Officer  Murray 
Walton:  “The  better  we 
understand  our  existing 
risk  profile,  the  more 
intelligently  we  can 
evaluate  nonstandard 
client  terms.” 


COVER  STORY  I  GOVERNANCE,  RISK  AND  COMPLIANCE 


or  vocabulary  or  process  related  to  risk, 
Walton  says.  “The  good  news  is  that,  with 
enough  effort,  we  were  able  to  manage  risk, 
but  there  was  a  challenge  of  being  able  to 
document  that  to  our  board  of  directors  or 
regulators,  and  to  look  beyond  the  horizon. 
All  of  a  sudden,  our  diversity  had  become 
a  risk  itself.” 

Rigorous  Processes 

Today,  the  company’s  GRC  focus  is  on 
risk  assessment,  compliance  monitoring, 
policy  management  and  remediation  track¬ 
ing.  Because  Fiserv  provides  technology 
solutions  to  the  financial  services  industry, 
it  is  regulated  by  the  FDIC,  as  if  it  were  a 
bank  itself. 

Since  the  2008  market  collapse,  “it  has 
been  critical  to  our  regulators  and  clients 
that  we  have  rigorous  processes  in  place 
to  identify,  understand,  control,  remedi¬ 
ate  and  monitor  our  risk  and  compliance 
posture,”  says  Raji  Ganesh,  Fiserv  vice 
president  of  risk  and  compliance.  To  meet 
that  challenge,  the  company  realized  it  had 
to  upgrade  its  processes  and  tools,  and  it 
standardized  its  approach  to  GRC  across 
an  enterprise  where  decentralization  for¬ 
merly  ruled. 

Fiserv  began  its  program  upgrade 
knowing  that  it  needed  a  technology  solu¬ 
tion  to  support  its  initiatives.  “But  we  were 
concerned  that  the  technology  solution 
could  drive  the  program  rather  than  the 
other  way  around,”  Walton  says.  “There 
are  some  solutions  in  the  market  that,  in  my 
view,  appear  to  be  dogma-driven.  Someone 
thinks  they  know  the  answers  and  have  a 
one-size-fits-all  approach  to  how  risk  and 
compliance  monitoring  ought  to  occur.” 

The  company  wanted  software  that 
addressed  the  widest  possible  range  of  reg¬ 
ulatory  and  third-party  standards.  “If  we 
only  needed  to  be  compliant  with  Gramm- 
Leach-Bliley  or  with  HIPAA  or  with  some 
other  single  regulation,”  then  flexibility 
wouldn’t  be  as  much  of  a  concern,  Walton 
says.  “But  all  those  [regulations],  and  more, 
matter  to  us.” 

First,  Fiserv  carefully  built  its  GRC  pro¬ 
gram  to  meet  the  organization’s  needs,  and 
then  it  selected  the  technology  to  support 
that  program.  Managers  opted  for  Risk- 
Vision  after  exploring  many  alternatives  in 
the  market.  So  far,  they  have  been  pleased 
with  the  technology,  and  say  it  has  had  a 


transformative  effect  on  the  risk-manage¬ 
ment  program. 

“Risk Vision  has  empowered  our  risk- 
management  staff  to  operate  on  a  higher, 
more  strategic  plane,”  Walton  says.  “In  the 
past,  our  team  spent  a  disproportionate 
share  of  its  time  manually  collecting  and 
manipulating  data.  Just  getting  to  a  base¬ 
line  understanding  of  our  risk  profile  con¬ 
sumed  most  of  our  available  horsepower, 
leaving  far  too  little  time  for  analysis  and 
problem-solving.” 

The  Agiliance  software  has  enabled 
Fiserv  “to  turn  our  paradigm  on  its  head,” 
says  Ganesh,  and  to  shift  her  team  of  for¬ 
mer  risk  tacticians  and  number  crunch¬ 
ers  into  enhanced  roles  as  risk  strategists, 
allowing  them  to  have  a  much  greater  effect 
on  the  organization. 

“It  allows  us  to  get  beyond  that  almost 
clerical  use  of  people,”  she  says.  “The  system 
does  that  [number  crunching]  really  well.  It 
has  taken  our  people  from  being  focused  on 
minutia  to  focusing  on  the  big  picture.” 

Multiple  Benefits 

The  software  automates  the  tasks  that 
were  consuming  the  majority  of  this  team’s 
time,  including  data  collection,  aggregation, 
workflow  and  reporting.  Now,  armed  with 
useful,  organized  output  from  the  system, 
“they  can  primarily  focus  on  deeper  analysis 
and  engagement  that  leads  to  more  effective 
remediation  and  control  of  the  risk  in  our 
organization,”  says  Ganesh. 

Fiserv  is  also  benefiting  from  the  work- 
flow  and  configuration  management  com¬ 
ponents  of  the  GRC  software. 

“In  a  complex  enterprise  like  ours, 
inputs  and  approvals  may  be  needed 
from  multiple  units  within  the  company 
to  complete  a  single  assessment,”  Ganesh 
says.  “Risk Vision  workflow  management 
expedites  our  processes  and  eliminates 
sneaker-net  movement  of  files.  Also, 
organization  and  hierarchy  changes  that 
formerly  required  many  hours  of  manual 
effort  to  implement  are  now  a  simple 
matter  of  system  configuration  that  takes 
only  minutes.” 

Reporting  is  also  simplified  by  the  GRC 
system’s  standard  reports  and  its  data 
export  feature,  which  allows  the  firm  to 
create  reports  using  tools  of  its  own  choos¬ 
ing,  Ganesh  says. 

The  software  allows  Fiserv  to  produce 


a  dashboard  for  managers,  which  shows 
them  a  color-coded  picture  of  exactly 
where  risk  resides  in  the  organization.  “It 
makes  it  abundantly  clear  that  this  is  where 
you  ought  to  be  focusing  on  remediation 
efforts,  investments,  policy,  people  issues,” 
Walton  says. 

“Rather  than  spending  all  that  time 
figuring  out  where  the  risk  is,  we  now 
get  that  intelligence  from  the  system,  and 
can  spend  more  time  addressing  what 
we’ve  found.” 

The  company  estimates  that  to  produce 
the  type  of  detailed  risk  profile  it  gets  from 
the  software  over  a  three-month  period 
now,  it  would  previously  have  taken  about 
six  months  using  Fiserv’s  old  manual  pro¬ 
cess.  The  older  method  would  also  have 
required  seven  to  10  more  staff  members 
and  would  have  cost  Fiserv  an  additional 
half-million  dollars. 

Another  benefit  is  the  increased  cred¬ 
ibility  the  enterprise  risk  management 
team  has  gained  in  its  interactions  with 
management,  regulators  and  members 
of  the  board  of  directors.  “We  have  much 
broader,  deeper  and  better-presented  data 
than  ever  before,”  Walton  says.  “I  can  now 
engage  with  any  of  my  team’s  constituen¬ 
cies  with  greater  authority  and  confidence, 
and  this  has  strengthened  all  of  these  key 
relationships.” 

Because  it  has  contacts  with  other 
corporate  users  of  the  software,  Fiserv  has 
benefitted  by  learning  about  how  others 
have  successfully  handled  GRC  processes. 
Ganesh  is  a  member  of  an  advisory  group 
for  users  of  the  product,  and  she  and  Wal¬ 
ton  have  taken  advantage  of  formal  and 
informal  opportunities  to  interact  with 
other  companies  using  Agiliance. 

“Although  every  company  is  different, 
the  journey  to  maturing  the  risk  man¬ 
agement  function  has  common  elements, 
whatever  your  business,”  Ganesh  says. 
“We  have  appreciated  the  opportunity  to 
interact  with  others  who  are  at  different 
points  on  the  maturity  curve,  and  who  have 
already  figured  out  how  to  meet  a  challenge 
that  is  new  to  us.” 

Overcoming  Hurdles 

Exchanging  best  practices  and  getting 
advice  from  more  experienced  GRC  prac¬ 
titioners  was  especially  useful  for  Fiserv 
because  the  company  faced  a  number  of 


26  www.csoonline.com  April  2012 


challenges  during  its  GRC  implementation. 

For  example,  when  the  enterprise  set  up 
a  new  comprehensive  information  security 
standards  program  about  a  year  and  a  half 
ago,  that  created  another  rule  set  for  GRC. 

“So  now  we  were  adding  another  layer 
to  our  control  policies,  and  we  needed  to 
learn  how  to  build  that”  into  the  software, 
Walton  says. 

“This  was  a  need  we  didn’t  anticipate, 
but  we  had  the  ability  to  talk  to  others 
and  our  advisers  at  Agiliance,  who  recom¬ 
mended  a  policy-management  module  that 
links  directly  with  existing  Risk  Vision 
content.  It  saved  us  many  months  and  at 
least  a  couple  hundred  thousand  dollars  of 
exploratory  work.” 

**To  begin  toitb  the 
tecbnology  rather 
than  tbeproeess 
is  to  risk  letting 
the  tool  define  the 
program^  rather 
than  support  it” 

-MURRAY  WALTON,  SENIOR 
VICE  PRESIDENT  AND  CHIEF 
RISK  OFFICER,  FISERV 


An  even  bigger  challenge  for  Fiserv  was 
creating  a  common  understanding  of  the 
logic,  discipline  and  vocabulary  of  profes¬ 
sional  risk  management,  Walton  says. 

“Fiserv  was  formed  through  the  acqui¬ 
sition  of  more  than  140  companies  over  the 
past  26  years,  and  until  a  few  years  ago  most 
of  our  business  units  operated  with  consid¬ 
erable  autonomy,”  Walton  says.  “They  man¬ 
aged  risk  the  way  they  always  had,  and  their 
practices  pre-2007  reflected  varying  degrees 
of  maturity  and  sophistication.  Lacking 
common  systems  and  processes  across  our 
enterprise,  we  achieved  diverse  results.” 

The  value  of  a  packaged  solution  is  that  it 
doesn’t  skip  steps,  Walton  says,  “It  enforces 
a  rigorous,  process-driven  approach  to  risk 
management  that  is  inherently  missing  in 


the  kind  of  homegrown,  paper-based  pro¬ 
cesses  we  used  before.” 

The  RiskVision  implementation  has 
been  successful  largely  due  to  the  compre¬ 
hensive  training  of  users  within  the  com¬ 
pany,  and  because  the  tool  itself  anticipates 
that  users  will  approach  the  system  with 
varying  levels  of  understanding. 

“Essentially,  there’s  a  lot  of  help  built 
into  the  tools,  and  the  user  interface  is 
solid,”  Ganesh  says.  “In  fact,  Agiliance  was 
willing  to  take  our  suggestions  and  incor¬ 
porate  them  as  core  product  functionality.” 

Because  the  software  was  new  for 
everyone,  “we  chose  an  implementation 
path  that  included  a  lot  of  professional  ser¬ 
vices  support,”  Ganesh  says.  “This  allowed 
us  to  stage  our  roll-out  on  time,  with  no  sur¬ 
prises,  and  excellent  user  support.  Usabil¬ 
ity  was  one  of  our  most  heavily  weighted 
selection  criteria,  and  we  feel  like  we  hit  a 
home  run  with  RiskVision.” 

The  most  challenging  aspect  of  the  GRC 
implementation  was  security.  “Because  we 
have  so  many  business  units  and  a  complex 
hierarchy,  the  ability  to  set  user  permis¬ 
sions  at  a  granular  level  is  very  important 
to  us,”  Walton  says.  “We  utilize  a  least 
privilege’  security  model,  and  it  has  taken 
time  for  us  and  Agiliance  to  fully  develop 
this  fiinctionality.” 

Walton  thinks  two  related  trends  are 
conspiring  to  make  having  a  robust  GRC 
strategy  and  software  implementation 
more  of  a  necessity  for  many  companies. 

“First,  we  seem  to  be  in  an  era  of  re-reg- 
ulation,  and  every  new  regulation  brings 
new  compliance  obligations,”  he  says. 
“Second,  contract  and  vendor-management 
processes  are  being  used  more  frequently 
to  shift  the  onus  of  compliance  obligations 
onto  vendors.” 

From  a  vendor’s  perspective,  some¬ 
times  there  is  a  business  reason  to  con¬ 
sider  accepting  contract  provisions  from 
a  prospective  client  that  create  unusual  or 
incremental  risk.  “We  believe  that  the  bet¬ 
ter  we  understand  our  existing  risk  profile, 
the  more  intelligently  we  can  evaluate  non¬ 
standard  client  terms,”  Walton  says. 

“When  we  do  agree  to  unusual  requests, 
we  also  need  the  capability  to  monitor  our 
own  compliance.  This  is  a  huge  advan¬ 
tage  of  our  RiskVision  implementation. 
It  allows  us  to  accept  risks  that  would  be 
unthinkable  if  we  were  flying  blind.” 


Like  a  number  of  industry  experts,  Wal¬ 
ton  thinks  it’s  important  to  remember  that 
GRC  is  a  process  supported  by  technology, 
and  companies  should  avoid  focusing  only 
on  the  software. 

“An  effective  risk-management  program 
is  part  of  an  organization’s  quest  for  self- 
awareness,”  Walton  says.  “To  begin  with 
technology  rather  than  process  is  to  risk 
letting  the  tool  define  the  program  rather 
than  support  it.  Before  you  can  decide 
which  tool  meets  your  needs,  you  need  an 
overarching  process  that  helps  assess  your 
business  and  its  assets,  vulnerabilities  and 
risk  appetite.” 

Only  when  a  company  understands 
these  baseline  concepts  can  it  really  know 
how  a  GRC  software  solution  will  fit  into  its 
risk-management  program. 

Lessons  Learned 

■  The  more  decentralized  the  enterprise, 
the  more  complex  the  GRC  implementa¬ 
tion  will  be.  Do  not  underestimate  basics 
such  as  technical  project  management  and 
behind-the-scenes  network  readiness. 

■  Your  existing  risk-management  team 
might  fear  that  adopting  GRC  software 
wiU  eliminate  their  jobs,  or  change  their 
job  functions  in  ways  that  take  them  out¬ 
side  their  comfort  zones  or  skiU  sets.  Work 
with  your  GRC  software  provider  and  its 
user  community  to  help  your  team  under¬ 
stand  the  opportunities  for  professional 
growth  the  new  system  wiU  provide  and 
other  potential  benefits  of  the  change. 

■  Don’t  try  to  use  every  bell  and  whistle 
available  in  your  GRC  solution  on  day  one. 
Start  small,  simple  and  focused,  with  a 
clear  idea  of  the  outcome  you  want.  Grow 
into  your  system. 

■  Think  of  your  GRC  system  as  a  flash¬ 
light,  shining  into  the  dark  cupboards  of 
your  organization.  You  will  be  surprised 
how  much  better  your  risk  and  compli¬ 
ance  fact  base  and  reporting  capabilities 
are  immediately  after  you  get  your  new 
system  up  and  running.  You  will  also  be 
surprised  by  how  hard  it  is  to  determine 
how  to  most  effectively  use  the  increased 
insight  to  improve  risk  management  in 
your  organization.  ■ 


Bob  Violino  is  a  frequent  contributor  to 
CSO.  Send  feedback  to  editor  Derek  Slater  at 
dslater@cxo.com. 


April  2012  www.csoonline.com  27 


Tight  relationships  with  law-enforcement 
agencies  are  the  key  to  tracking 
down  and  prosecuting  check  fraud 
criminals  By  Mary  Brandel 


Thanks  to  increasingly  sophis¬ 
ticated  technology  and  ongo¬ 
ing  economic  uncertainty,  aU 
types  of  fraud  are  flourishing 
today,  including  check  fraud. 
The  prevalence  of  mobile  and  wireless 
technologies  and  the  increasing  ease  of 
access  to  high-quality  printing  and  dupli¬ 
cation  technology  are  making  it  easier  for 
criminals  to  steal  credentials,  alter  check 
numbers  and  create  counterfeit  checks. 

According  to  a  December  2011  survey 
published  by  the  American  Bankers  Asso¬ 
ciation,  73  percent  of  banks  reported  check 
fraud  losses  in  2010,  totalling  approxi¬ 
mately  $893  million  in  losses. 

Charles  Andrews,  director  of  security 
and  investigations  at  TeleCheck,  a  division 
of  First  Data,  says  the  key  to  staying  on  top 
of  ever- shifting  check  ft'aud  tactics  and 
tracking  down  the  criminals  is  maintain¬ 
ing  strong  relationships  with  not  just 
internal  risk  assessors  but  also  law- 
enforcement  agencies  across  the  country, 
including  the  Secret  Service.  His  team’s 
accomplishments  were  noted  by  the  U.S. 
Marshals  Service,  which  invited  Andrews 


and  his  team  to  train  its  investigators  on 
financial  crime  investigation  tactics. 

Andrews  joined  the  electronic  check 
acceptance  service  four  years  ago,  after 
30  years  in  law  enforcement,  corporate 
security,  business  risk,  and  consulting. 

As  a  proponent  of  professional  develop¬ 
ment,  Andrews  has  joined  his  entire 
team  in  pursuing  master’s  degrees  at  the 
University  of  Houston.  He  has  received 
a  lifetime  achievement  award  from  the 
International  Society  of  Crime  Prevention 
Specialists,  has  studied  criminal  justice 
at  Sam  Houston  State  University,  and  has 
board  certifications  from  the  Association 
of  Certified  Fraud  Examiners  and  ASIS 
International. 

We  recently  spoke  with  Andrews 
about  the  never-ending  task  of  battling 
check  fraud. 

CSO:  Can  you  describe  how 
TeleCheck  detects  fraud? 

Charles  Andrews:  Potential  cases  come 
from  many  different  directions— from 
victims,  law-enforcement  agencies  and  our 
own  internal  systems— and  then  we  use 


28  www.csoonline.com  April  2012 


Photo  by  Scott  Kohn 


FRAUD  PREVENTION 


Charles  Andrews,  director  of  security  and 
investigations  for  TeieCheck,  says  fraud 
detection  is  ‘‘a  moving  target.” 


different  tools  to  determine  which  cases 
require  investigation. 

Through  our  service,  we  verify  checks 
against  a  database  of  known  good  check 
writers  that  we’ve  been  building  for  over 
40  years.  As  the  check  writer  presents  a 
check  at  the  point  of  sale,  we  can  see  if  they 
are  a  known  good  check  writer  and  how 
the  transaction  scores  based  on  hundreds 
of  criteria  that  may  indicate  fraudulent 
activity.  We  flag  transactions  that  appear 
risky  for  a  decline  or  a  follow-up. 

That  gives  merchants  a  first  line  of 
defense  at  the  point  of  sale,  and  then  we 
use  these  transactions  to  improve  our 
fraud-detecting  algorithms  on  a  daily 
basis. 

What  would  a  typical  investigation 
look  like? 

Once  we  encounter  a  situation  where  we 
believe  a  transaction  may  be  fraudulent, 
that’s  where  we  may  kick  in  with  an  inves¬ 
tigation,  working  with  law-enforcement 
agencies.  Some  of  these  cases  are  quite 
large  and  might  involve  organized  groups 
that  work  the  entire  country,  up  and  down 
the  interstates,  and  we  pursue  those  people 
by  gathering  evidence  on  their  transac¬ 
tions  and  trying  to  identify  who  they  are. 

Our  own  systems  provide  us  with 
information  or  clues  on  the  person’s 
patterns  of  behavior  around  the  country 
or  in  a  geogi’aphic  area.  We  take  all  that 
information,  combined  with  other  open 
sources  of  information,  and  work  with 
law  enforcement  to  identify  that  person 
or  organization  in  an  attempt  to  make  a 
criminal  case  against  them. 

Sometimes  there  are  overlaps  in  which 
agencies  we  work  with— if  the  criminal 
hits,  say,  in  Georgia,  then  in  New  York,  and 
then  we  see  them  working  along  the  East¬ 
ern  Seaboard.  We  can  follow  their  behav¬ 
ior  on  a  map  and  see  patterns  in  the  times 
these  incidents  are  happening.  Then  we 


April  2012  www.csoonline.com  29 


FRAUD  PREVENTION 


contact  merchants  to  collect  video  images, 
receipts  and  a  lot  of  other  indicators. 

It’s  key  to  have  relationships  with  the 
law-enforcement  agencies— we  know  who 
to  call,  and  sometimes  they’re  already 
working  cases  with  the  same  types  of 
indicators.  We  build  an  aggregated  case, 
and  if  it  goes  across  state  lines,  the  federal 
agencies  get  involved,  and  we  collaborate. 

What  is  an  example  of  a  fraud 
indicator? 

There  are  literally  hundreds  of  param¬ 
eters,  and  they  vary  from  merchant  to  mer¬ 
chant.  We  tune  the  parameters  for  each 
merchant  according  to  the  nature  of  their 

develop 
and  maintain 
reiationships 
with  every 
law-enforcement 
agency  and 
division  in  this 
country,  from 
Interpol  down/* 

-CHARLES  ANDREWS, 

DIRECTOR  OF  SECURITY 
AND  INVESTIGATIONS, 
TELECHECK 

business  and  their  fraud  tolerance. 

One  red  flag  is  a  marked  increase  in  the 
frequency  of  check  writing.  For  example, 
if  a  particular  check  writer  has  a  history  of 
writing  a  check  at  the  grocery  store  every 
week  and  paying  the  rent  every  month 
but  is  suddenly  writing  several  checks  in 
one  day  at  electronics  and  jewelry  stores, 
that  change  in  behavior  strongly  suggests 
something  is  amiss.  Or  maybe  the  check 
transactions  are  occurring  all  in  retail 
stores,  all  in  banking  or  all  in  electronics. 

How  is  your  investigative  team 
structured? 

The  investigative  team  includes  four  inves¬ 
tigators,  bringing  together  on  one  team 
diverse  experiences  from  retail,  financial, 
investigations  and  our  own  in-house 


operations.  This  team  is  very  collaborative, 
and  the  investigators  contribute  their  own 
expertise  to  the  cases  we  investigate. 

Are  there  any  quantitative  results 
you  can  share  about  the  program? 

We  can’t  go  into  too  much  detail  about  our 
metrics,  but  our  team  has  demonstrated 
a  measurable  increase  in  effectiveness, 
improving  by  more  than  35  percent  in  all 
its  metrics  year  over  year. 

How  does  the  increase  in  the  use  of 
technology  for  committing  fraud 
change  the  job  of  detecting  and 
investigating  these  cases? 

The  technology  underlying  financial 
services  has  evolved  very  rapidly,  and  the 
ways  to  perpetrate  financial  crime  have 
evolved,  so  it’s  a  moving  target.  Given 
the  virtual  world,  the  criminals’  modus 
operand!  is  to  stay  mobile,  since  they  know 
that  staying  mobile  reduces  their  exposure 
and  risk. 

Mobile  and  wireless  technologies  have 
dramatically  improved  skimming  technol¬ 
ogy,  for  example.  Once  a  criminal  has 
affixed  a  skimming  device  to  an  ATM  or 
point-of-sale  terminal,  he  no  longer  needs 
to  retrieve  the  device  to  collect  the  stolen 
data;  thanks  to  wireless  technology,  he  can 
collect  it  from  the  safety  of  his  car  in  the 
parking  lot. 

Also,  rather  than  clustering  fraudulent 
purchases  in  one  location,  where  a  rise 
in  flagged  transactions  might  be  obvious, 
they  try  to  make  their  fraudulent  transac¬ 
tions  less  obvious  by  driving  around  a 
fairly  wide  area. 

Consequently,  we  continually  adapt 
and  improve  our  technology,  sometimes 
on  a  daily  basis,  to  develop  new  ways  to 
identify  and  mitigate  their  new  tactics.  We 
stay  abreast  of  new  fraud  tactics  through 
industry  organizations,  law  enforcement, 
industry  fraud  investigators  and  fraud 
and  security  technology  companies,  and 
we  use  all  the  tools  and  technologies  at  our 
disposal  to  better  understand  fraudster 
behavior  and  identify  how  and  where  they 
might  strike  next. 

How  important  are  your  relationships 
with  law  enforcement? 

If  someone  is  a  victim  of  fraud— counter¬ 
feit  checks,  forgery,  identity  theft— who 


do  they  call?  They  might  call  their  bank 
or  credit  card  company,  but  they  also  call 
law  enforcement.  And  if  they’re  going  to 
make  a  case,  law  agencies  know  to  notify 
us  so  they  can  subpoena  evidence.  If  it  goes 
the  other  way,  where  we  detect  fraud,  we 
need  to  know  who  to  call— who  has  the 
right  venue  and  the  right  jurisdiction.  It’s 
important  that  we  understand  how  we  can 
quickly  work  through  the  process  and  get 
law-enforcement  agents  the  information 
they  need  to  get  the  fraudster  stopped  or 
identified. 

We  develop  and  maintain  relationships 
with  every  law-enforcement  agency  and 
division  in  this  country,  from  Interpol 
down.  And  what  we  do  affects  everybody 
financially,  even  people  who  are  not  part  of 
our  portfolio.  'The  same  fraudsters  could 
be  operating  across  multiple  stores  and 
institutions,  so  it’s  important  for  us  to 
be  able  to  contact  any  field  office  in  the 
United  States  to  immediately  begin  work¬ 
ing  on  a  case. 

When  we  have  close  relationships 
with  law  enforcement  and  understand 
the  parameters  they  work  within,  we  can 
make  sure  we  deliver  the  evidence— the 
transactions,  quality  images  and  patterns 
of  behavior— that  they  need  in  a  nice, 
tightly  wrapped  package,  so  they  can  build 
a  good  strong  case.  Because  we’re  familiar 
with  the  various  state  and  federal  statutes 
and  the  needs  of  the  pertinent  law-enforce¬ 
ment  agencies,  we  know  what  information 
is  required  to  prosecute  and,  following 
appropriate  process,  we  can  share  infor¬ 
mation  in  a  manner  that  suits  their  needs, 
thereby  enhancing  the  efficiency  of  their 
investigations. 

Do  you  ever  get  involved  in  cases 
beyond  check  fraud? 

Most  often,  the  information  we  collect  is 
used  for  financial  fraud  crimes.  But  there 
are  times  where  our  data  is  able  to  support 
investigations  that  are  not  purely  financial 
crimes.  There  was  a  case  in  which  a  kid¬ 
napper  had  taken  a  child  to  another  state, 
and  we  were  able  to  assist  law  enforce¬ 
ment  in  identifying  and  apprehending  the 
kidnapper.  ■ 


Mary  Brandel  is  a  frequent  contributor  to 
CSO.  Send  feedback  to  editor  Derek  Slater  at 
dslater@cxo.com. 


30  www.csoonline.com  April  2012 


MARKETPLACE 


CSO  Forum  on  Linked  Q]. 

Share  best  practices  and  insight  and 
discuss  your  challenges  with  your 
security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 
If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

www.CSOonline.com/tinkedin 


Online  CISSP®  Exam 


Preparation 
Course 


Our  online  12-topic 
(\SCf®  CISSP®  Exam 
Preparation  Course  runs 
May  through  May  21^* 


Offered  by 


Knowledge-Source.org 


Knowledge  Source  is  an  Academia-Industry 
alliance  affiliated  with  the  Information 
Institute.  Course  taught  by  university  faculty 
and  industry  professionals.  Seats  limited. 
Registration  must  be  made  online. 


Visit  www.Knowiedge-Source.org 
for  more  details  and  to  register. 


Personalized  IT  newsletters 
from  Tech  Dispenser. 

You  pick  the  topics.  You  pick  the  sources.  You  pick  the  frequency. 

Build  your  own  newsletter  featuring  your  favorite  technology 
topics  —  cloud  computing,  application  development,  security  — 
over  200  timely  topics,  from  more  than  700  trusted  sources. 


Get  started  today.  It's  free. 
www.techdispenser.com 


April  2012  www.csoonline.com  31 


[  DEBRIEFINC] 


coKsIraKfe 


'4^ 


i^r- 


y-  ‘f 


A1 

r« 

i\N 

me.  to 
Kxfack 


rvioLlcLous 

email 

alfcackmeKfcs 


securlfcM  staff 
overage 

executive  boKus 


I  total  #  of  stoiff 
''■4  certlflcatloKS 

I  (jjCokeK/MortmaK 
ratlKg  w.»Uere  f^iyC) 

s  F(KXx,M,i,t)3 

fFermat^s  reKultlmate 
’  ,  TKeoremJ) 


<5^  [vloleKt  crime 
rate  Ik  ^ar»j, 
iKd,^  E004-E011^ 

#  of  apologies 

iK  ■l>omlKo4 
‘PuLz.a  ad 
campalgKs 

TUat^s  Uow4 
secure. 


'  ■  1- 


32  www.csoonline.com  April  2012 


Take  Control  of  your  Physical  Security 
Infrastructure  with  SAFE  Solutions 

Our  SAFE  Software  Suite  is  a  Physical  Identity  and  Access 
Management  System  that  enables  a  global  approach  to  automate 
and  streamline  your  Physical  Security  Infrastructure.  With  SAFE 
Solutions  from  Quantum  Secure,  automate  and  streamline 
physical  access  management,  gain  visibility  and  take  control  of 
on/off  boarding  processes  across  global  facilities,  and  closely 
manage  restricted  areas  to  ensure  compliance  and  reduce 
corporate  risks. 

SAFE  delivers  attestation  reports  for  compliance  to  regulations 
such  as  SOX,  NERC,  PCI,  FilPAA  and  more.  SAFE  also  performs 
insider  risk  assessment  with  facility  access  analytics,  and  will 
operate  with  disparate  physical  access  (PACS)  and  HR  systems. 
The  SAFE  Software  Suite  is  designed  to  create  unprecedented 
efficiencies  and  lower  all  physical  access  related  risks. 


SAFE  is  Ideal  for: 

>  Government 

>  Airports  and  Ports 

>  Telecom 

>  Energy  and  Utilities 

>  Healthcare,  Pharmaceuticals 

>  High  Technology 

>  Financial 

>  Higher  Education 

>  Transportation 


©  2012  Quantum  Secure,  Incorporated.  All  rights  reserved. 


A  tale  about  being  visible,  proactive  and  secure 


To  keep  the  skies  safe,  an  air  traffic  controller  directs, 
watches  and  predicts  traffic  issues  -  while  managing 
constant  change. 

Lesson  learned:  without  control,  the  sky  is  falling. 


Quest  solutions  deliver  visibility  into  your  environment, 
so  tracking  and  managing  change  -  while  maintaining 
corporate  governance  and  compliance  -  is  a  snap.  Ready 
to  dismiss  governance  and  compliance  flights  of  fancy? 
Quest  can  help. 


Read  the  eBook  at  www.quest.com/ITCompliance 


i  / 

rilHHflli 

~'jr 

■■ 

m 

rijP— 

■  PM 

1  1  1 

■ 

QUEST 

SOFTWARE* 


’*  2012  Quest  Software,  Inc.  ALL  RIGHTS  RESfRVEO.  Quest,  Quest  Software  and  the  Quest  Software  logo  are  registered  trademarks  of  Quest  Software.  Inc.  mi  tlie 
U.S JV.  and/or  other  countries.  All  other  trademarks  and  registered  trademarks  are  property  of  their  respective  owners.  ADW  QuestOne-UAM-QI  201 2-EW 


Simplicity  At  Work* 


If' 


